@tenxyte/core 0.1.5 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/README.md +444 -0
  2. package/dist/index.cjs +1881 -496
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.cts +2767 -1265
  5. package/dist/index.d.ts +2767 -1265
  6. package/dist/index.js +1830 -464
  7. package/dist/index.js.map +1 -1
  8. package/package.json +83 -67
  9. package/patched-schema.json +0 -11388
  10. package/src/client.ts +0 -21
  11. package/src/config.ts +0 -0
  12. package/src/http/client.ts +0 -162
  13. package/src/http/index.ts +0 -1
  14. package/src/http/interceptors.ts +0 -117
  15. package/src/index.ts +0 -7
  16. package/src/modules/ai.ts +0 -0
  17. package/src/modules/auth.ts +0 -95
  18. package/src/modules/b2b.ts +0 -0
  19. package/src/modules/rbac.ts +0 -160
  20. package/src/modules/security.ts +0 -122
  21. package/src/modules/user.ts +0 -80
  22. package/src/storage/cookie.ts +0 -39
  23. package/src/storage/index.ts +0 -29
  24. package/src/storage/localStorage.ts +0 -75
  25. package/src/storage/memory.ts +0 -30
  26. package/src/types/api-schema.d.ts +0 -6590
  27. package/src/types/index.ts +0 -150
  28. package/src/utils/device_info.ts +0 -94
  29. package/src/utils/events.ts +0 -71
  30. package/src/utils/jwt.ts +0 -51
  31. package/tests/http.test.ts +0 -144
  32. package/tests/modules/auth.test.ts +0 -93
  33. package/tests/modules/rbac.test.ts +0 -95
  34. package/tests/modules/security.test.ts +0 -75
  35. package/tests/modules/user.test.ts +0 -76
  36. package/tests/storage.test.ts +0 -96
  37. package/tests/utils.test.ts +0 -71
  38. package/tsconfig.json +0 -26
  39. package/tsup.config.ts +0 -10
  40. package/vitest.config.ts +0 -7
package/dist/index.d.cts CHANGED
@@ -1,1265 +1,2767 @@
1
- interface HttpClientOptions {
2
- baseUrl: string;
3
- timeoutMs?: number;
4
- headers?: Record<string, string>;
5
- }
6
- type RequestConfig = Omit<RequestInit, 'body' | 'headers'> & {
7
- body?: unknown;
8
- headers?: Record<string, string>;
9
- params?: Record<string, string | number | boolean>;
10
- };
11
- /**
12
- * Core HTTP Client underlying the SDK.
13
- * Handles JSON parsing, standard headers, simple request processing,
14
- * and normalizing errors into TenxyteError format.
15
- */
16
- declare class TenxyteHttpClient {
17
- private baseUrl;
18
- private defaultHeaders;
19
- private requestInterceptors;
20
- private responseInterceptors;
21
- constructor(options: HttpClientOptions);
22
- addRequestInterceptor(interceptor: typeof this.requestInterceptors[0]): void;
23
- addResponseInterceptor(interceptor: typeof this.responseInterceptors[0]): void;
24
- /**
25
- * Main request method wrapping fetch
26
- */
27
- request<T>(endpoint: string, config?: RequestConfig): Promise<T>;
28
- private normalizeError;
29
- get<T>(endpoint: string, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
30
- post<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
31
- put<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
32
- patch<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
33
- delete<T>(endpoint: string, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
34
- }
35
-
36
- interface components {
37
- schemas: {
38
- /**
39
- * @description * `login` - Login
40
- * * `login_failed` - Login Failed
41
- * * `logout` - Logout
42
- * * `logout_all` - Logout All Devices
43
- * * `token_refresh` - Token Refresh
44
- * * `password_change` - Password Changed
45
- * * `password_reset_request` - Password Reset Requested
46
- * * `password_reset_complete` - Password Reset Completed
47
- * * `2fa_enabled` - 2FA Enabled
48
- * * `2fa_disabled` - 2FA Disabled
49
- * * `2fa_backup_used` - 2FA Backup Code Used
50
- * * `account_created` - Account Created
51
- * * `account_locked` - Account Locked
52
- * * `account_unlocked` - Account Unlocked
53
- * * `email_verified` - Email Verified
54
- * * `phone_verified` - Phone Verified
55
- * * `role_assigned` - Role Assigned
56
- * * `role_removed` - Role Removed
57
- * * `permission_changed` - Permission Changed
58
- * * `app_created` - Application Created
59
- * * `app_credentials_regenerated` - Application Credentials Regenerated
60
- * * `account_deleted` - Account Deleted
61
- * * `suspicious_activity` - Suspicious Activity Detected
62
- * * `session_limit_exceeded` - Session Limit Exceeded
63
- * * `device_limit_exceeded` - Device Limit Exceeded
64
- * * `new_device_detected` - New Device Detected
65
- * * `agent_action` - Agent Action Executed
66
- * @enum {string}
67
- */
68
- ActionEnum: "login" | "login_failed" | "logout" | "logout_all" | "token_refresh" | "password_change" | "password_reset_request" | "password_reset_complete" | "2fa_enabled" | "2fa_disabled" | "2fa_backup_used" | "account_created" | "account_locked" | "account_unlocked" | "email_verified" | "phone_verified" | "role_assigned" | "role_removed" | "permission_changed" | "app_created" | "app_credentials_regenerated" | "account_deleted" | "suspicious_activity" | "session_limit_exceeded" | "device_limit_exceeded" | "new_device_detected" | "agent_action";
69
- /** @description Full serializer for admin user detail view. */
70
- AdminUserDetail: {
71
- readonly id: string;
72
- /** Format: email */
73
- email?: string | null;
74
- phone_country_code?: string | null;
75
- phone_number?: string | null;
76
- first_name?: string;
77
- last_name?: string;
78
- is_active?: boolean;
79
- is_locked?: boolean;
80
- /** Format: date-time */
81
- locked_until?: string | null;
82
- /** @description Permanent ban (manual admin action). Cannot be auto-lifted. */
83
- is_banned?: boolean;
84
- is_deleted?: boolean;
85
- /** Format: date-time */
86
- deleted_at?: string | null;
87
- is_email_verified?: boolean;
88
- is_phone_verified?: boolean;
89
- is_2fa_enabled?: boolean;
90
- is_staff?: boolean;
91
- is_superuser?: boolean;
92
- /**
93
- * Format: int64
94
- * @description Maximum concurrent sessions allowed (0 = unlimited)
95
- */
96
- max_sessions?: number;
97
- /**
98
- * Format: int64
99
- * @description Maximum unique devices allowed (0 = unlimited)
100
- */
101
- max_devices?: number;
102
- readonly roles: string[];
103
- readonly permissions: string[];
104
- /** Format: date-time */
105
- readonly created_at: string;
106
- /** Format: date-time */
107
- readonly updated_at: string;
108
- /** Format: date-time */
109
- last_login?: string | null;
110
- };
111
- /** @description Lightweight serializer for admin user listing. */
112
- AdminUserList: {
113
- readonly id: string;
114
- /** Format: email */
115
- email?: string | null;
116
- first_name?: string;
117
- last_name?: string;
118
- is_active?: boolean;
119
- is_locked?: boolean;
120
- /** @description Permanent ban (manual admin action). Cannot be auto-lifted. */
121
- is_banned?: boolean;
122
- is_deleted?: boolean;
123
- is_email_verified?: boolean;
124
- is_phone_verified?: boolean;
125
- is_2fa_enabled?: boolean;
126
- readonly roles: string[];
127
- /** Format: date-time */
128
- readonly created_at: string;
129
- /** Format: date-time */
130
- last_login?: string | null;
131
- };
132
- AgentConfirmRequest: {
133
- /** @description Confirmation token de l'action */
134
- token: string;
135
- };
136
- AgentErrorResponse: {
137
- error: string;
138
- code?: string;
139
- };
140
- AgentPendingActionList: {
141
- id: number;
142
- agent_id: string;
143
- permission: string;
144
- endpoint: string;
145
- payload: {
146
- [key: string]: unknown;
147
- } | null;
148
- confirmation_token: string;
149
- /** Format: date-time */
150
- expires_at: string;
151
- /** Format: date-time */
152
- created_at: string;
153
- };
154
- AgentReportUsageBudget: {
155
- error: string;
156
- status: string;
157
- };
158
- AgentReportUsageRequest: {
159
- /**
160
- * Format: double
161
- * @description Coût en USD de la session
162
- */
163
- cost_usd: number;
164
- /** @description Tokens prompt consommés */
165
- prompt_tokens: number;
166
- /** @description Tokens completion consommés */
167
- completion_tokens: number;
168
- };
169
- AgentRevokeAllOk: {
170
- status: string;
171
- /** @description Nombre de tokens révoqués */
172
- count: number;
173
- };
174
- AgentSuccessResponse: {
175
- status: string;
176
- };
177
- AgentTokenCreateRequest: {
178
- /** @description Identifiant de l'agent (ex: 'my-bot-v1') */
179
- agent_id: string;
180
- /** @description Durée de validité en secondes */
181
- expires_in?: number;
182
- /** @description Liste des permissions demandées */
183
- permissions?: string[];
184
- /** @description Slug organisation (alternatif à X-Org-Slug header) */
185
- organization?: string;
186
- /**
187
- * Format: double
188
- * @description Budget max en USD
189
- */
190
- budget_limit_usd?: number;
191
- circuit_breaker?: {
192
- [key: string]: unknown;
193
- };
194
- dead_mans_switch?: {
195
- [key: string]: unknown;
196
- };
197
- };
198
- AgentTokenCreated: {
199
- id: number;
200
- /** @description Token brut AgentBearer (secret, à stocker) */
201
- token: string;
202
- agent_id: string;
203
- status: string;
204
- /** Format: date-time */
205
- expires_at: string;
206
- };
207
- AgentTokenDetail: {
208
- id: number;
209
- agent_id: string;
210
- status: string;
211
- /** Format: date-time */
212
- expires_at: string;
213
- /** Format: date-time */
214
- created_at: string;
215
- organization: string | null;
216
- current_request_count: number;
217
- };
218
- AgentTokenList: {
219
- id: number;
220
- agent_id: string;
221
- status: string;
222
- /** Format: date-time */
223
- expires_at: string;
224
- /** Format: date-time */
225
- created_at: string;
226
- organization: string | null;
227
- current_request_count: number;
228
- };
229
- /** @description Serializer pour afficher les applications (sans le secret) */
230
- Application: {
231
- readonly id: string;
232
- name: string;
233
- description?: string;
234
- readonly access_key: string;
235
- is_active?: boolean;
236
- /** Format: date-time */
237
- readonly created_at: string;
238
- /** Format: date-time */
239
- readonly updated_at: string;
240
- };
241
- /** @description Serializer pour créer une application */
242
- ApplicationCreate: {
243
- name: string;
244
- /** @default */
245
- description: string;
246
- };
247
- /** @description Serializer pour mettre à jour une application */
248
- ApplicationUpdate: {
249
- name?: string;
250
- description?: string;
251
- is_active?: boolean;
252
- };
253
- AssignRole: {
254
- role_code: string;
255
- };
256
- /** @description Serializer for audit log entries. */
257
- AuditLog: {
258
- readonly id: string;
259
- user?: number | null;
260
- readonly user_email: string;
261
- action: components["schemas"]["ActionEnum"];
262
- ip_address?: string | null;
263
- user_agent?: string;
264
- application?: number | null;
265
- readonly application_name: string;
266
- details?: unknown;
267
- /** Format: date-time */
268
- readonly created_at: string;
269
- };
270
- /** @description Serializer for banning a user. */
271
- BanUser: {
272
- /**
273
- * @description Reason for the ban (stored in audit log)
274
- * @default
275
- */
276
- reason: string;
277
- };
278
- /** @description Serializer for blacklisted JWT tokens. */
279
- BlacklistedToken: {
280
- readonly id: string;
281
- token_jti: string;
282
- user?: number | null;
283
- readonly user_email: string;
284
- /** Format: date-time */
285
- readonly blacklisted_at: string;
286
- /** Format: date-time */
287
- expires_at: string;
288
- reason?: string;
289
- readonly is_expired: string;
290
- };
291
- CancelAccountDeletion: {
292
- /** @description Mot de passe actuel requis pour annulation */
293
- password: string;
294
- };
295
- ChangePassword: {
296
- current_password: string;
297
- new_password: string;
298
- };
299
- /** @description Serializer for admin deletion request listing/detail. */
300
- DeletionRequest: {
301
- readonly id: string;
302
- user: number;
303
- readonly user_email: string;
304
- status?: components["schemas"]["StatusEnum"];
305
- /** Format: date-time */
306
- readonly requested_at: string;
307
- /** Format: date-time */
308
- confirmed_at?: string | null;
309
- /** Format: date-time */
310
- grace_period_ends_at?: string | null;
311
- /** Format: date-time */
312
- completed_at?: string | null;
313
- ip_address?: string | null;
314
- /** @description Optional reason for deletion request */
315
- reason?: string;
316
- admin_notes?: string;
317
- processed_by?: number | null;
318
- readonly processed_by_email: string;
319
- readonly is_grace_period_expired: string;
320
- };
321
- ExportUserData: {
322
- /** @description Mot de passe actuel requis pour exporter les données */
323
- password: string;
324
- };
325
- /** @description Serializer for locking a user account. */
326
- LockUser: {
327
- /**
328
- * @description Lock duration in minutes (default: 30, max: 30 days)
329
- * @default 30
330
- */
331
- duration_minutes: number;
332
- /**
333
- * @description Reason for the lock (stored in audit log)
334
- * @default
335
- */
336
- reason: string;
337
- };
338
- /** @description Serializer for login attempt records. */
339
- LoginAttempt: {
340
- readonly id: string;
341
- identifier: string;
342
- ip_address: string;
343
- application?: number | null;
344
- success?: boolean;
345
- failure_reason?: string;
346
- /** Format: date-time */
347
- readonly created_at: string;
348
- };
349
- LoginEmail: {
350
- /** Format: email */
351
- email: string;
352
- password: string;
353
- /** @description Code 2FA (requis si 2FA activé) */
354
- totp_code?: string;
355
- /**
356
- * @description Device info au format v1 (ex: v=1|os=windows;osv=11|device=desktop)
357
- * @default
358
- */
359
- device_info: string;
360
- };
361
- LoginPhone: {
362
- phone_country_code: string;
363
- phone_number: string;
364
- password: string;
365
- /** @description Code 2FA (requis si 2FA activé) */
366
- totp_code?: string;
367
- /**
368
- * @description Device info au format v1 (ex: v=1|os=windows;osv=11|device=desktop)
369
- * @default
370
- */
371
- device_info: string;
372
- };
373
- MagicLinkRequest: {
374
- /**
375
- * Format: email
376
- * @description Adresse email pour recevoir le magic link
377
- */
378
- email: string;
379
- /**
380
- * Format: uri
381
- * @description URL pour construire le lien de vérification (obligatoire)
382
- */
383
- validation_url: string;
384
- };
385
- ManageRolePermissions: {
386
- /** @description Liste des codes de permissions à ajouter ou retirer */
387
- permission_codes: string[];
388
- };
389
- /**
390
- * @description * `email` - email
391
- * * `phone` - phone
392
- * @enum {string}
393
- */
394
- OtpTypeEnum: "email" | "phone";
395
- PaginatedAdminUserListList: {
396
- /**
397
- * @description Total number of items
398
- * @example 150
399
- */
400
- count: number;
401
- /**
402
- * @description Current page number
403
- * @example 1
404
- */
405
- page?: number;
406
- /**
407
- * @description Items per page
408
- * @example 20
409
- */
410
- page_size?: number;
411
- /**
412
- * @description Total number of pages
413
- * @example 8
414
- */
415
- total_pages?: number;
416
- /**
417
- * Format: uri
418
- * @description URL to the next page
419
- */
420
- next?: string | null;
421
- /**
422
- * Format: uri
423
- * @description URL to the previous page
424
- */
425
- previous?: string | null;
426
- results: components["schemas"]["AdminUserList"][];
427
- };
428
- PaginatedApplicationList: {
429
- /**
430
- * @description Total number of items
431
- * @example 150
432
- */
433
- count: number;
434
- /**
435
- * @description Current page number
436
- * @example 1
437
- */
438
- page?: number;
439
- /**
440
- * @description Items per page
441
- * @example 20
442
- */
443
- page_size?: number;
444
- /**
445
- * @description Total number of pages
446
- * @example 8
447
- */
448
- total_pages?: number;
449
- /**
450
- * Format: uri
451
- * @description URL to the next page
452
- */
453
- next?: string | null;
454
- /**
455
- * Format: uri
456
- * @description URL to the previous page
457
- */
458
- previous?: string | null;
459
- results: components["schemas"]["Application"][];
460
- };
461
- PaginatedAuditLogList: {
462
- /**
463
- * @description Total number of items
464
- * @example 150
465
- */
466
- count: number;
467
- /**
468
- * @description Current page number
469
- * @example 1
470
- */
471
- page?: number;
472
- /**
473
- * @description Items per page
474
- * @example 20
475
- */
476
- page_size?: number;
477
- /**
478
- * @description Total number of pages
479
- * @example 8
480
- */
481
- total_pages?: number;
482
- /**
483
- * Format: uri
484
- * @description URL to the next page
485
- */
486
- next?: string | null;
487
- /**
488
- * Format: uri
489
- * @description URL to the previous page
490
- */
491
- previous?: string | null;
492
- results: components["schemas"]["AuditLog"][];
493
- };
494
- PaginatedBlacklistedTokenList: {
495
- /**
496
- * @description Total number of items
497
- * @example 150
498
- */
499
- count: number;
500
- /**
501
- * @description Current page number
502
- * @example 1
503
- */
504
- page?: number;
505
- /**
506
- * @description Items per page
507
- * @example 20
508
- */
509
- page_size?: number;
510
- /**
511
- * @description Total number of pages
512
- * @example 8
513
- */
514
- total_pages?: number;
515
- /**
516
- * Format: uri
517
- * @description URL to the next page
518
- */
519
- next?: string | null;
520
- /**
521
- * Format: uri
522
- * @description URL to the previous page
523
- */
524
- previous?: string | null;
525
- results: components["schemas"]["BlacklistedToken"][];
526
- };
527
- PaginatedLoginAttemptList: {
528
- /**
529
- * @description Total number of items
530
- * @example 150
531
- */
532
- count: number;
533
- /**
534
- * @description Current page number
535
- * @example 1
536
- */
537
- page?: number;
538
- /**
539
- * @description Items per page
540
- * @example 20
541
- */
542
- page_size?: number;
543
- /**
544
- * @description Total number of pages
545
- * @example 8
546
- */
547
- total_pages?: number;
548
- /**
549
- * Format: uri
550
- * @description URL to the next page
551
- */
552
- next?: string | null;
553
- /**
554
- * Format: uri
555
- * @description URL to the previous page
556
- */
557
- previous?: string | null;
558
- results: components["schemas"]["LoginAttempt"][];
559
- };
560
- PaginatedPermissionList: {
561
- /**
562
- * @description Total number of items
563
- * @example 150
564
- */
565
- count: number;
566
- /**
567
- * @description Current page number
568
- * @example 1
569
- */
570
- page?: number;
571
- /**
572
- * @description Items per page
573
- * @example 20
574
- */
575
- page_size?: number;
576
- /**
577
- * @description Total number of pages
578
- * @example 8
579
- */
580
- total_pages?: number;
581
- /**
582
- * Format: uri
583
- * @description URL to the next page
584
- */
585
- next?: string | null;
586
- /**
587
- * Format: uri
588
- * @description URL to the previous page
589
- */
590
- previous?: string | null;
591
- results: components["schemas"]["Permission"][];
592
- };
593
- PaginatedRefreshTokenAdminList: {
594
- /**
595
- * @description Total number of items
596
- * @example 150
597
- */
598
- count: number;
599
- /**
600
- * @description Current page number
601
- * @example 1
602
- */
603
- page?: number;
604
- /**
605
- * @description Items per page
606
- * @example 20
607
- */
608
- page_size?: number;
609
- /**
610
- * @description Total number of pages
611
- * @example 8
612
- */
613
- total_pages?: number;
614
- /**
615
- * Format: uri
616
- * @description URL to the next page
617
- */
618
- next?: string | null;
619
- /**
620
- * Format: uri
621
- * @description URL to the previous page
622
- */
623
- previous?: string | null;
624
- results: components["schemas"]["RefreshTokenAdmin"][];
625
- };
626
- PaginatedRoleListList: {
627
- /**
628
- * @description Total number of items
629
- * @example 150
630
- */
631
- count: number;
632
- /**
633
- * @description Current page number
634
- * @example 1
635
- */
636
- page?: number;
637
- /**
638
- * @description Items per page
639
- * @example 20
640
- */
641
- page_size?: number;
642
- /**
643
- * @description Total number of pages
644
- * @example 8
645
- */
646
- total_pages?: number;
647
- /**
648
- * Format: uri
649
- * @description URL to the next page
650
- */
651
- next?: string | null;
652
- /**
653
- * Format: uri
654
- * @description URL to the previous page
655
- */
656
- previous?: string | null;
657
- results: components["schemas"]["RoleList"][];
658
- };
659
- PasswordResetConfirm: {
660
- code: string;
661
- new_password: string;
662
- };
663
- PasswordResetRequest: {
664
- /** Format: email */
665
- email?: string;
666
- phone_country_code?: string;
667
- phone_number?: string;
668
- };
669
- PasswordStrengthRequest: {
670
- password: string;
671
- /** Format: email */
672
- email?: string;
673
- };
674
- /** @description Serializer for admin user updates (partial). */
675
- PatchedAdminUserUpdate: {
676
- first_name?: string;
677
- last_name?: string;
678
- is_active?: boolean;
679
- is_staff?: boolean;
680
- is_superuser?: boolean;
681
- max_sessions?: number;
682
- max_devices?: number;
683
- };
684
- PatchedToggleApplicationStatus: {
685
- /** @description Nouveau statut actif de l'application */
686
- is_active?: boolean;
687
- };
688
- PatchedUpdateProfileRequest: {
689
- /** @description Prénom (max 30 caractères) */
690
- first_name?: string;
691
- /** @description Nom (max 30 caractères) */
692
- last_name?: string;
693
- /** @description Nom d'utilisateur unique (alphanumérique + underscores) */
694
- username?: string;
695
- /** @description Numéro de téléphone au format international (+33612345678) */
696
- phone?: string;
697
- /** @description Biographie (max 500 caractères) */
698
- bio?: string;
699
- /** @description Fuseau horaire (ex: Europe/Paris, America/New_York) */
700
- timezone?: string;
701
- /** @description Langue préférée */
702
- language?: string;
703
- /** @description Champs personnalisés (selon configuration organisation) */
704
- custom_fields?: {
705
- [key: string]: unknown;
706
- };
707
- };
708
- Permission: {
709
- readonly id: string;
710
- code: string;
711
- name: string;
712
- description?: string;
713
- readonly parent: {
714
- [key: string]: unknown;
715
- } | null;
716
- /** @description Code de la permission parente (hiérarchie) */
717
- parent_code?: string | null;
718
- readonly children: {
719
- [key: string]: unknown;
720
- }[];
721
- /** Format: date-time */
722
- readonly created_at: string;
723
- };
724
- ProcessDeletionRequest: {
725
- /** @description Texte de confirmation "PERMANENTLY DELETE" */
726
- confirmation: string;
727
- /** @description Notes administratives optionnelles */
728
- admin_notes?: string;
729
- };
730
- RefreshToken: {
731
- refresh_token: string;
732
- };
733
- /** @description Serializer for refresh tokens (admin view, token value hidden). */
734
- RefreshTokenAdmin: {
735
- readonly id: string;
736
- user: number;
737
- readonly user_email: string;
738
- application: number;
739
- readonly application_name: string;
740
- device_info?: string;
741
- ip_address?: string | null;
742
- is_revoked?: boolean;
743
- readonly is_expired: string;
744
- /** Format: date-time */
745
- expires_at: string;
746
- /** Format: date-time */
747
- readonly created_at: string;
748
- /** Format: date-time */
749
- readonly last_used_at: string;
750
- };
751
- RegenerateApplicationCredentials: {
752
- /** @description Texte de confirmation "REGENERATE" */
753
- confirmation: string;
754
- };
755
- Register: {
756
- /** Format: email */
757
- email?: string | null;
758
- phone_country_code?: string | null;
759
- phone_number?: string | null;
760
- password: string;
761
- /** @default */
762
- first_name: string;
763
- /** @default */
764
- last_name: string;
765
- /**
766
- * @description Si True, l'utilisateur est connecté immédiatement après l'inscription (tokens JWT retournés)
767
- * @default false
768
- */
769
- login: boolean;
770
- /**
771
- * @description Device info au format v1 (ex: v=1|os=windows;osv=11|device=desktop)
772
- * @default
773
- */
774
- device_info: string;
775
- };
776
- RequestAccountDeletion: {
777
- /** @description Mot de passe actuel requis pour confirmation */
778
- password: string;
779
- /** @description Code OTP à 6 chiffres (requis si 2FA activé) */
780
- otp_code?: string;
781
- /** @description Raison optionnelle de la suppression */
782
- reason?: string;
783
- };
784
- RequestOTP: {
785
- otp_type: components["schemas"]["OtpTypeEnum"];
786
- };
787
- Role: {
788
- readonly id: string;
789
- code: string;
790
- name: string;
791
- description?: string;
792
- readonly permissions: components["schemas"]["Permission"][];
793
- permission_codes?: string[];
794
- is_default?: boolean;
795
- /** Format: date-time */
796
- readonly created_at: string;
797
- /** Format: date-time */
798
- readonly updated_at: string;
799
- };
800
- /** @description Version allégée pour les listes */
801
- RoleList: {
802
- readonly id: string;
803
- code: string;
804
- name: string;
805
- is_default?: boolean;
806
- };
807
- SocialAuthRequest: {
808
- /** @description OAuth2 access token du provider */
809
- access_token?: string;
810
- /** @description Authorization code flow */
811
- code?: string;
812
- /** @description URI de redirection (requis avec code) */
813
- redirect_uri?: string;
814
- /** @description Google ID token uniquement */
815
- id_token?: string;
816
- /** @description Informations device (optionnel) */
817
- device_info?: string;
818
- };
819
- SocialCallbackError: {
820
- error: string;
821
- code: string;
822
- };
823
- SocialCallbackRedirect: {
824
- /** @description URL de redirection avec tokens en paramètres query */
825
- location: string;
826
- };
827
- SocialCallbackResponse: {
828
- access: string;
829
- refresh: string;
830
- provider: string;
831
- is_new_user: boolean;
832
- };
833
- SocialCallbackUnauthorized: {
834
- error: string;
835
- code: string;
836
- };
837
- /**
838
- * @description * `pending` - Pending
839
- * * `confirmation_sent` - Confirmation Sent
840
- * * `confirmed` - Confirmed
841
- * * `completed` - Completed
842
- * * `cancelled` - Cancelled
843
- * @enum {string}
844
- */
845
- StatusEnum: "pending" | "confirmation_sent" | "confirmed" | "completed" | "cancelled";
846
- TokenRequest: {
847
- /** @description Confirmation token de l'action */
848
- token: string;
849
- };
850
- TwoFactorBackupCodesRequest: {
851
- /** @description Code TOTP à 6 chiffres pour validation */
852
- code: string;
853
- };
854
- TwoFactorConfirmRequest: {
855
- /** @description Code TOTP à 6 chiffres */
856
- code: string;
857
- };
858
- TwoFactorDisableRequest: {
859
- /** @description Code TOTP ou code de secours à 8 chiffres */
860
- code: string;
861
- /** @description Mot de passe de l'utilisateur pour confirmation */
862
- password: string;
863
- };
864
- VerifyOTP: {
865
- code: string;
866
- };
867
- WebAuthnAuthenticateBeginRequest: {
868
- /**
869
- * Format: email
870
- * @description Optionnel — pour credentials utilisateur spécifiques
871
- */
872
- email?: string;
873
- };
874
- WebAuthnAuthenticateCompleteRequest: {
875
- /** @description ID du challenge généré */
876
- challenge_id: number;
877
- /** @description Assertion WebAuthn du navigateur */
878
- credential: {
879
- [key: string]: unknown;
880
- };
881
- /** @description Informations sur le device (optionnel) */
882
- device_info?: string;
883
- };
884
- WebAuthnRegisterCompleteRequest: {
885
- /** @description ID du challenge généré */
886
- challenge_id: number;
887
- /** @description Credential WebAuthn du navigateur */
888
- credential: {
889
- [key: string]: unknown;
890
- };
891
- /** @description Nom optionnel du device */
892
- device_name?: string;
893
- };
894
- User: {
895
- /** Format: uuid */
896
- id?: string;
897
- email?: string;
898
- phone_country_code?: string | null;
899
- phone_number?: string | null;
900
- first_name?: string;
901
- last_name?: string;
902
- is_email_verified?: boolean;
903
- is_phone_verified?: boolean;
904
- is_2fa_enabled?: boolean;
905
- roles?: string[];
906
- permissions?: string[];
907
- /** Format: date-time */
908
- created_at?: string;
909
- /** Format: date-time */
910
- last_login?: string | null;
911
- };
912
- };
913
- responses: never;
914
- parameters: never;
915
- requestBodies: never;
916
- headers: never;
917
- pathItems: never;
918
- }
919
-
920
- type GeneratedSchema = components['schemas'];
921
- /**
922
- * Core User Interface exposed by the SDK.
923
- */
924
- interface TenxyteUser {
925
- id: string;
926
- email: string | null;
927
- phone_country_code: string | null;
928
- phone_number: string | null;
929
- first_name: string;
930
- last_name: string;
931
- is_email_verified: boolean;
932
- is_phone_verified: boolean;
933
- is_2fa_enabled: boolean;
934
- roles: string[];
935
- permissions: string[];
936
- created_at: string;
937
- last_login: string | null;
938
- }
939
- /**
940
- * Standard SDK Token Pair (internal structure normalized by interceptors)
941
- */
942
- interface TokenPair {
943
- access_token: string;
944
- refresh_token: string;
945
- token_type: 'Bearer';
946
- expires_in: number;
947
- device_summary: string | null;
948
- }
949
- /**
950
- * Standardized API Error Response wrapper
951
- */
952
- interface TenxyteError {
953
- error: string;
954
- code: TenxyteErrorCode;
955
- details?: Record<string, string[]> | string;
956
- retry_after?: number;
957
- }
958
- type TenxyteErrorCode = 'LOGIN_FAILED' | 'INVALID_CREDENTIALS' | 'ACCOUNT_LOCKED' | 'ACCOUNT_BANNED' | '2FA_REQUIRED' | 'ADMIN_2FA_SETUP_REQUIRED' | 'TOKEN_EXPIRED' | 'TOKEN_BLACKLISTED' | 'REFRESH_FAILED' | 'PERMISSION_DENIED' | 'SESSION_LIMIT_EXCEEDED' | 'DEVICE_LIMIT_EXCEEDED' | 'RATE_LIMITED' | 'INVALID_OTP' | 'OTP_EXPIRED' | 'INVALID_PROVIDER' | 'SOCIAL_AUTH_FAILED' | 'VALIDATION_URL_REQUIRED' | 'INVALID_TOKEN' | 'CONFIRMATION_REQUIRED' | 'PASSWORD_REQUIRED' | 'INVALID_PASSWORD' | 'INVALID_DEVICE_INFO' | 'ORG_NOT_FOUND' | 'NOT_ORG_MEMBER' | 'NOT_OWNER' | 'ALREADY_MEMBER' | 'MEMBER_LIMIT_EXCEEDED' | 'HAS_CHILDREN' | 'CIRCULAR_HIERARCHY' | 'LAST_OWNER_REQUIRED' | 'INVITATION_EXISTS' | 'INVALID_ROLE' | 'AGENT_NOT_FOUND' | 'AGENT_SUSPENDED' | 'AGENT_REVOKED' | 'AGENT_EXPIRED' | 'BUDGET_EXCEEDED' | 'RATE_LIMIT_EXCEEDED' | 'HEARTBEAT_MISSING' | 'AIRS_DISABLED';
959
- /**
960
- * Organization Structure
961
- */
962
- interface Organization {
963
- id: number;
964
- name: string;
965
- slug: string;
966
- description: string | null;
967
- metadata: Record<string, unknown> | null;
968
- is_active: boolean;
969
- max_members: number;
970
- member_count: number;
971
- created_at: string;
972
- updated_at: string;
973
- parent: {
974
- id: number;
975
- name: string;
976
- slug: string;
977
- } | null;
978
- children: Array<{
979
- id: number;
980
- name: string;
981
- slug: string;
982
- }>;
983
- user_role: string | null;
984
- user_permissions: string[];
985
- }
986
- /**
987
- * Base Pagination Response wrapper
988
- */
989
- interface PaginatedResponse<T> {
990
- count: number;
991
- page: number;
992
- page_size: number;
993
- total_pages: number;
994
- next: string | null;
995
- previous: string | null;
996
- results: T[];
997
- }
998
- /**
999
- * AIRS Agent Token metadata
1000
- */
1001
- interface AgentTokenSummary {
1002
- id: number;
1003
- agent_id: string;
1004
- status: 'ACTIVE' | 'SUSPENDED' | 'REVOKED' | 'EXPIRED';
1005
- expires_at: string;
1006
- created_at: string;
1007
- organization: string | null;
1008
- current_request_count: number;
1009
- }
1010
- /**
1011
- * Request awaiting Human-In-The-Loop approval
1012
- */
1013
- interface AgentPendingAction {
1014
- id: number;
1015
- agent_id: string;
1016
- permission: string;
1017
- endpoint: string;
1018
- payload: unknown;
1019
- confirmation_token: string;
1020
- expires_at: string;
1021
- created_at: string;
1022
- }
1023
-
1024
- interface LoginEmailOptions {
1025
- totp_code?: string;
1026
- }
1027
- interface LoginPhoneOptions {
1028
- totp_code?: string;
1029
- }
1030
- type RegisterRequest = any;
1031
- interface MagicLinkRequest {
1032
- email: string;
1033
- }
1034
- interface SocialLoginRequest {
1035
- access_token?: string;
1036
- authorization_code?: string;
1037
- id_token?: string;
1038
- }
1039
- declare class AuthModule {
1040
- private client;
1041
- constructor(client: TenxyteHttpClient);
1042
- /**
1043
- * Authenticate user with email and password
1044
- */
1045
- loginWithEmail(data: GeneratedSchema['LoginEmail']): Promise<TokenPair>;
1046
- /**
1047
- * Authenticate user with international phone number and password
1048
- */
1049
- loginWithPhone(data: GeneratedSchema['LoginPhone']): Promise<TokenPair>;
1050
- /**
1051
- * Register a new user
1052
- */
1053
- register(data: RegisterRequest): Promise<any>;
1054
- /**
1055
- * Logout from the current session
1056
- */
1057
- logout(refreshToken: string): Promise<void>;
1058
- /**
1059
- * Logout from all sessions (revokes all refresh tokens)
1060
- */
1061
- logoutAll(): Promise<void>;
1062
- /**
1063
- * Request a magic link for sign-in
1064
- */
1065
- requestMagicLink(data: MagicLinkRequest): Promise<void>;
1066
- /**
1067
- * Verify a magic link token
1068
- */
1069
- verifyMagicLink(token: string): Promise<TokenPair>;
1070
- /**
1071
- * Perform OAuth2 Social Authentication (e.g. Google, GitHub)
1072
- */
1073
- loginWithSocial(provider: 'google' | 'github' | 'microsoft' | 'facebook', data: SocialLoginRequest): Promise<TokenPair>;
1074
- /**
1075
- * Handle Social Auth Callback (authorization code flow)
1076
- */
1077
- handleSocialCallback(provider: 'google' | 'github' | 'microsoft' | 'facebook', code: string, redirectUri: string): Promise<TokenPair>;
1078
- }
1079
-
1080
- interface OtpRequestParams {
1081
- email?: string;
1082
- phone_country_code?: string;
1083
- phone_number?: string;
1084
- type: 'email_verification' | 'phone_verification' | 'password_reset';
1085
- }
1086
- interface VerifyOtpEmailParams {
1087
- email: string;
1088
- code: string;
1089
- }
1090
- interface VerifyOtpPhoneParams {
1091
- phone_country_code: string;
1092
- phone_number: string;
1093
- code: string;
1094
- }
1095
- interface Setup2FAResponse {
1096
- qr_code_url: string;
1097
- secret: string;
1098
- backup_codes: string[];
1099
- }
1100
- interface WebAuthnRegisterBeginResponse {
1101
- publicKey: any;
1102
- }
1103
- interface WebAuthnAuthenticateBeginResponse {
1104
- publicKey: any;
1105
- }
1106
- declare class SecurityModule {
1107
- private client;
1108
- constructor(client: TenxyteHttpClient);
1109
- requestOtp(data: OtpRequestParams): Promise<void>;
1110
- verifyOtpEmail(data: VerifyOtpEmailParams): Promise<void>;
1111
- verifyOtpPhone(data: VerifyOtpPhoneParams): Promise<void>;
1112
- get2FAStatus(): Promise<{
1113
- is_enabled: boolean;
1114
- backup_codes_remaining: number;
1115
- }>;
1116
- setup2FA(): Promise<Setup2FAResponse>;
1117
- confirm2FA(totp_code: string): Promise<void>;
1118
- disable2FA(totp_code: string, password?: string): Promise<void>;
1119
- regenerateBackupCodes(totp_code: string): Promise<{
1120
- backup_codes: string[];
1121
- }>;
1122
- resetPasswordRequest(data: {
1123
- email?: string;
1124
- phone_country_code?: string;
1125
- phone_number?: string;
1126
- }): Promise<void>;
1127
- resetPasswordConfirm(data: {
1128
- otp_code: string;
1129
- new_password: string;
1130
- email?: string;
1131
- phone_country_code?: string;
1132
- phone_number?: string;
1133
- }): Promise<void>;
1134
- changePassword(data: {
1135
- current_password: string;
1136
- new_password: string;
1137
- }): Promise<void>;
1138
- checkPasswordStrength(data: {
1139
- password: string;
1140
- email?: string;
1141
- }): Promise<{
1142
- score: number;
1143
- feedback: string[];
1144
- }>;
1145
- getPasswordRequirements(): Promise<any>;
1146
- registerWebAuthnBegin(): Promise<WebAuthnRegisterBeginResponse>;
1147
- registerWebAuthnComplete(data: any): Promise<void>;
1148
- authenticateWebAuthnBegin(data?: {
1149
- email?: string;
1150
- }): Promise<WebAuthnAuthenticateBeginResponse>;
1151
- authenticateWebAuthnComplete(data: any): Promise<TokenPair>;
1152
- listWebAuthnCredentials(): Promise<any[]>;
1153
- deleteWebAuthnCredential(credentialId: string): Promise<void>;
1154
- }
1155
-
1156
- interface Role {
1157
- id: string;
1158
- name: string;
1159
- description?: string;
1160
- is_default?: boolean;
1161
- permissions?: string[];
1162
- }
1163
- interface Permission {
1164
- id: string;
1165
- code: string;
1166
- name: string;
1167
- description?: string;
1168
- }
1169
- declare class RbacModule {
1170
- private client;
1171
- private cachedToken;
1172
- constructor(client: TenxyteHttpClient);
1173
- /**
1174
- * Cache a token to use for parameter-less synchronous checks.
1175
- */
1176
- setToken(token: string | null): void;
1177
- private getDecodedToken;
1178
- hasRole(role: string, token?: string): boolean;
1179
- hasAnyRole(roles: string[], token?: string): boolean;
1180
- hasAllRoles(roles: string[], token?: string): boolean;
1181
- hasPermission(permission: string, token?: string): boolean;
1182
- hasAnyPermission(permissions: string[], token?: string): boolean;
1183
- hasAllPermissions(permissions: string[], token?: string): boolean;
1184
- listRoles(): Promise<Role[]>;
1185
- createRole(data: {
1186
- name: string;
1187
- description?: string;
1188
- permission_codes?: string[];
1189
- is_default?: boolean;
1190
- }): Promise<Role>;
1191
- getRole(roleId: string): Promise<Role>;
1192
- updateRole(roleId: string, data: {
1193
- name?: string;
1194
- description?: string;
1195
- permission_codes?: string[];
1196
- is_default?: boolean;
1197
- }): Promise<Role>;
1198
- deleteRole(roleId: string): Promise<void>;
1199
- getRolePermissions(roleId: string): Promise<Permission[]>;
1200
- addPermissionsToRole(roleId: string, permission_codes: string[]): Promise<void>;
1201
- removePermissionsFromRole(roleId: string, permission_codes: string[]): Promise<void>;
1202
- listPermissions(): Promise<Permission[]>;
1203
- createPermission(data: {
1204
- code: string;
1205
- name: string;
1206
- description?: string;
1207
- parent_code?: string;
1208
- }): Promise<Permission>;
1209
- getPermission(permissionId: string): Promise<Permission>;
1210
- updatePermission(permissionId: string, data: {
1211
- name?: string;
1212
- description?: string;
1213
- }): Promise<Permission>;
1214
- deletePermission(permissionId: string): Promise<void>;
1215
- assignRoleToUser(userId: string, roleCode: string): Promise<void>;
1216
- removeRoleFromUser(userId: string, roleCode: string): Promise<void>;
1217
- assignPermissionsToUser(userId: string, permissionCodes: string[]): Promise<void>;
1218
- removePermissionsFromUser(userId: string, permissionCodes: string[]): Promise<void>;
1219
- }
1220
-
1221
- interface UpdateProfileParams {
1222
- first_name?: string;
1223
- last_name?: string;
1224
- [key: string]: any;
1225
- }
1226
- interface AdminUpdateUserParams {
1227
- first_name?: string;
1228
- last_name?: string;
1229
- is_active?: boolean;
1230
- is_locked?: boolean;
1231
- max_sessions?: number;
1232
- max_devices?: number;
1233
- }
1234
- declare class UserModule {
1235
- private client;
1236
- constructor(client: TenxyteHttpClient);
1237
- getProfile(): Promise<any>;
1238
- updateProfile(data: UpdateProfileParams): Promise<any>;
1239
- /**
1240
- * Upload an avatar using FormData.
1241
- * Ensure the environment supports FormData (browser or Node.js v18+).
1242
- * @param formData The FormData object containing the 'avatar' field.
1243
- */
1244
- uploadAvatar(formData: FormData): Promise<any>;
1245
- deleteAccount(password: string, otpCode?: string): Promise<void>;
1246
- listUsers(params?: Record<string, any>): Promise<any[]>;
1247
- getUser(userId: string): Promise<any>;
1248
- adminUpdateUser(userId: string, data: AdminUpdateUserParams): Promise<any>;
1249
- adminDeleteUser(userId: string): Promise<void>;
1250
- banUser(userId: string, reason?: string): Promise<void>;
1251
- unbanUser(userId: string): Promise<void>;
1252
- lockUser(userId: string, durationMinutes?: number, reason?: string): Promise<void>;
1253
- unlockUser(userId: string): Promise<void>;
1254
- }
1255
-
1256
- declare class TenxyteClient {
1257
- http: TenxyteHttpClient;
1258
- auth: AuthModule;
1259
- security: SecurityModule;
1260
- rbac: RbacModule;
1261
- user: UserModule;
1262
- constructor(options: HttpClientOptions);
1263
- }
1264
-
1265
- export { type AdminUpdateUserParams, type AgentPendingAction, type AgentTokenSummary, AuthModule, type GeneratedSchema, type HttpClientOptions, type LoginEmailOptions, type LoginPhoneOptions, type MagicLinkRequest, type Organization, type OtpRequestParams, type PaginatedResponse, type Permission, RbacModule, type RegisterRequest, type RequestConfig, type Role, SecurityModule, type Setup2FAResponse, type SocialLoginRequest, TenxyteClient, type TenxyteError, type TenxyteErrorCode, TenxyteHttpClient, type TenxyteUser, type TokenPair, type UpdateProfileParams, UserModule, type VerifyOtpEmailParams, type VerifyOtpPhoneParams, type WebAuthnAuthenticateBeginResponse, type WebAuthnRegisterBeginResponse };
1
+ /**
2
+ * MemoryStorage implementation primarily used in Node.js (SSR)
3
+ * environments or as a fallback when browser storage is unavailable.
4
+ */
5
+ declare class MemoryStorage implements TenxyteStorage {
6
+ private store;
7
+ constructor();
8
+ getItem(key: string): string | null;
9
+ setItem(key: string, value: string): void;
10
+ removeItem(key: string): void;
11
+ clear(): void;
12
+ }
13
+
14
+ /**
15
+ * LocalStorage wrapper for the browser.
16
+ * Degrades gracefully to MemoryStorage if localStorage is unavailable
17
+ * (e.g., SSR, Private Browsing mode strictness).
18
+ */
19
+ declare class LocalStorage implements TenxyteStorage {
20
+ private fallbackMemoryStore;
21
+ private isAvailable;
22
+ constructor();
23
+ private checkAvailability;
24
+ getItem(key: string): string | null;
25
+ setItem(key: string, value: string): void;
26
+ removeItem(key: string): void;
27
+ clear(): void;
28
+ }
29
+
30
+ /**
31
+ * CookieStorage implementation
32
+ * Note: To be secure, tokens should be HttpOnly where possible.
33
+ * This class handles client-side cookies if necessary.
34
+ */
35
+ declare class CookieStorage implements TenxyteStorage {
36
+ private defaultOptions;
37
+ constructor(options?: {
38
+ secure?: boolean;
39
+ sameSite?: 'Strict' | 'Lax' | 'None';
40
+ });
41
+ getItem(key: string): string | null;
42
+ setItem(key: string, value: string): void;
43
+ removeItem(key: string): void;
44
+ clear(): void;
45
+ }
46
+
47
+ interface TenxyteStorage {
48
+ /**
49
+ * Retrieves a value from storage.
50
+ * @param key The key to retrieve
51
+ */
52
+ getItem(key: string): string | null | Promise<string | null>;
53
+ /**
54
+ * Saves a value to storage.
55
+ * @param key The key to store
56
+ * @param value The string value
57
+ */
58
+ setItem(key: string, value: string): void | Promise<void>;
59
+ /**
60
+ * Removes a specific key from storage.
61
+ * @param key The key to remove
62
+ */
63
+ removeItem(key: string): void | Promise<void>;
64
+ /**
65
+ * Clears all storage keys managed by the SDK.
66
+ */
67
+ clear(): void | Promise<void>;
68
+ }
69
+
70
+ /**
71
+ * Helper utility to build the device fingerprint required by Tenxyte security features.
72
+ * Format: `v=1|os=windows;osv=11|device=desktop|arch=x64|app=tenxyte;appv=1.0.0|runtime=chrome;rtv=122|tz=Europe/Paris`
73
+ */
74
+ interface CustomDeviceInfo {
75
+ os?: string;
76
+ osVersion?: string;
77
+ device?: string;
78
+ arch?: string;
79
+ app?: string;
80
+ appVersion?: string;
81
+ runtime?: string;
82
+ runtimeVersion?: string;
83
+ timezone?: string;
84
+ }
85
+ declare function buildDeviceInfo(customInfo?: CustomDeviceInfo): string;
86
+
87
+ interface HttpClientOptions {
88
+ baseUrl: string;
89
+ timeoutMs?: number;
90
+ headers?: Record<string, string>;
91
+ }
92
+ type RequestConfig = Omit<RequestInit, 'body' | 'headers'> & {
93
+ body?: unknown;
94
+ headers?: Record<string, string>;
95
+ params?: Record<string, string | number | boolean>;
96
+ };
97
+ /**
98
+ * Core HTTP Client underlying the SDK.
99
+ * Handles JSON parsing, standard headers, simple request processing,
100
+ * and normalizing errors into TenxyteError format.
101
+ */
102
+ declare class TenxyteHttpClient {
103
+ private baseUrl;
104
+ private defaultHeaders;
105
+ private timeoutMs;
106
+ private requestInterceptors;
107
+ private responseInterceptors;
108
+ constructor(options: HttpClientOptions);
109
+ addRequestInterceptor(interceptor: typeof this.requestInterceptors[0]): void;
110
+ addResponseInterceptor(interceptor: typeof this.responseInterceptors[0]): void;
111
+ /**
112
+ * Main request method wrapping fetch
113
+ */
114
+ request<T>(endpoint: string, config?: RequestConfig): Promise<T>;
115
+ private normalizeError;
116
+ get<T>(endpoint: string, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
117
+ post<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
118
+ put<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
119
+ patch<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
120
+ delete<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>): Promise<T>;
121
+ }
122
+
123
+ interface TenxyteContext {
124
+ activeOrgSlug: string | null;
125
+ agentTraceId: string | null;
126
+ }
127
+ declare function createAuthInterceptor(storage: TenxyteStorage, context: TenxyteContext): (request: RequestConfig & {
128
+ url: string;
129
+ }) => Promise<{
130
+ headers: {
131
+ [x: string]: string;
132
+ };
133
+ cache?: RequestCache | undefined;
134
+ credentials?: RequestCredentials | undefined;
135
+ integrity?: string | undefined;
136
+ keepalive?: boolean | undefined;
137
+ method?: string | undefined;
138
+ mode?: RequestMode | undefined;
139
+ priority?: RequestPriority | undefined;
140
+ redirect?: RequestRedirect | undefined;
141
+ referrer?: string | undefined;
142
+ referrerPolicy?: ReferrerPolicy | undefined;
143
+ signal?: (AbortSignal | null) | undefined;
144
+ window?: null | undefined;
145
+ body?: unknown;
146
+ params?: Record<string, string | number | boolean>;
147
+ url: string;
148
+ }>;
149
+ declare function createRefreshInterceptor(client: TenxyteHttpClient, storage: TenxyteStorage, onSessionExpired: () => void, onTokenRefreshed?: (accessToken: string, refreshToken?: string) => void): (response: Response, request: {
150
+ url: string;
151
+ config: RequestConfig;
152
+ }) => Promise<Response>;
153
+ /** Configuration for the automatic retry middleware. */
154
+ interface RetryConfig {
155
+ /** Maximum number of retries per request. Defaults to 3. */
156
+ maxRetries?: number;
157
+ /** Retry on HTTP 429 (Too Many Requests). Defaults to true. */
158
+ retryOn429?: boolean;
159
+ /** Retry on network errors (fetch failures, timeouts). Defaults to true. */
160
+ retryOnNetworkError?: boolean;
161
+ /** Base delay in ms for exponential backoff. Defaults to 1000. */
162
+ baseDelayMs?: number;
163
+ }
164
+ /**
165
+ * Creates a response interceptor that retries failed requests with exponential backoff.
166
+ * Respects the `Retry-After` header when present on 429 responses.
167
+ */
168
+ declare function createRetryInterceptor(config?: RetryConfig, logger?: TenxyteLogger): (response: Response, request: {
169
+ url: string;
170
+ config: RequestConfig;
171
+ }) => Promise<Response>;
172
+ declare function createDeviceInfoInterceptor(override?: CustomDeviceInfo): (request: RequestConfig & {
173
+ url: string;
174
+ }) => Omit<RequestInit, "body" | "headers"> & {
175
+ body?: unknown;
176
+ headers?: Record<string, string>;
177
+ params?: Record<string, string | number | boolean>;
178
+ } & {
179
+ url: string;
180
+ };
181
+
182
+ /**
183
+ * Semantic version of the SDK, kept in sync with package.json.
184
+ * Sent as X-SDK-Version header when diagnostics are enabled.
185
+ */
186
+ declare const SDK_VERSION = "0.9.0";
187
+ /**
188
+ * Log level controlling the verbosity of the SDK internal logger.
189
+ *
190
+ * - `'silent'` — No output (default).
191
+ * - `'error'` — Errors only.
192
+ * - `'warn'` — Errors and warnings.
193
+ * - `'debug'` — Verbose output including debug traces.
194
+ */
195
+ type LogLevel = 'silent' | 'error' | 'warn' | 'debug';
196
+ /**
197
+ * Pluggable logger interface accepted by the SDK.
198
+ * Any object satisfying this contract (e.g. `console`) can be passed as `logger`.
199
+ */
200
+ interface TenxyteLogger {
201
+ /** Verbose diagnostic messages (interceptors, token lifecycle, etc.) */
202
+ debug(message: string, ...args: unknown[]): void;
203
+ /** Non-critical issues that deserve attention (deprecated usage, retry fallback, etc.) */
204
+ warn(message: string, ...args: unknown[]): void;
205
+ /** Unrecoverable errors (network failures, malformed responses, etc.) */
206
+ error(message: string, ...args: unknown[]): void;
207
+ }
208
+ /**
209
+ * Configuration object accepted by {@link TenxyteClient}.
210
+ *
211
+ * Only `baseUrl` is required — every other option has a sensible default.
212
+ *
213
+ * @example
214
+ * ```typescript
215
+ * import { TenxyteClient } from '@tenxyte/core';
216
+ *
217
+ * const tx = new TenxyteClient({
218
+ * baseUrl: 'https://api.my-service.com',
219
+ * headers: { 'X-Access-Key': 'pkg_abc123' },
220
+ * autoRefresh: true,
221
+ * autoDeviceInfo: true,
222
+ * timeoutMs: 10_000,
223
+ * onSessionExpired: () => router.push('/login'),
224
+ * });
225
+ * ```
226
+ */
227
+ interface TenxyteClientConfig {
228
+ /** Base URL of the Tenxyte-powered API, without a trailing slash. */
229
+ baseUrl: string;
230
+ /** Extra HTTP headers merged into every outgoing request (e.g. X-Access-Key, X-Access-Secret). */
231
+ headers?: Record<string, string>;
232
+ /**
233
+ * Persistent token storage back-end.
234
+ * The SDK ships with MemoryStorage, LocalStorageAdapter, and CookieStorage.
235
+ * Defaults to MemoryStorage (in-memory, lost on page reload / process exit).
236
+ */
237
+ storage?: TenxyteStorage;
238
+ /**
239
+ * When true, the SDK automatically attaches a response interceptor that
240
+ * intercepts 401 responses, attempts a silent token refresh via
241
+ * POST /refresh/, and replays the original request on success.
242
+ * Defaults to true.
243
+ */
244
+ autoRefresh?: boolean;
245
+ /**
246
+ * When true, the SDK injects a device_info payload (built by
247
+ * buildDeviceInfo()) into every authentication request body
248
+ * (/login/email/, /login/phone/, /register/, /social/*).
249
+ * Set to false if you supply your own fingerprint or run in an
250
+ * environment where the auto-detected info is irrelevant (e.g. CI).
251
+ * Defaults to true.
252
+ */
253
+ autoDeviceInfo?: boolean;
254
+ /**
255
+ * Global request timeout in milliseconds.
256
+ * When set, every fetch call is wrapped with an AbortController.
257
+ * If the timer fires before the response arrives, the SDK throws a
258
+ * TenxyteError with code TIMEOUT.
259
+ * Defaults to undefined (no timeout).
260
+ */
261
+ timeoutMs?: number;
262
+ /**
263
+ * Callback invoked whenever the active session can no longer be recovered
264
+ * (e.g. refresh token is expired or revoked).
265
+ * This is a convenience shortcut equivalent to tx.on('session:expired', callback).
266
+ */
267
+ onSessionExpired?: () => void;
268
+ /**
269
+ * Custom logger implementation.
270
+ * Defaults to a silent no-op logger. Pass console for quick debugging
271
+ * or supply any object that satisfies the TenxyteLogger interface.
272
+ */
273
+ logger?: TenxyteLogger;
274
+ /**
275
+ * Controls the verbosity of the built-in logger when no custom logger
276
+ * is provided. Defaults to 'silent'.
277
+ */
278
+ logLevel?: LogLevel;
279
+ /**
280
+ * Override or supplement the auto-detected device information.
281
+ * When provided, these values are merged on top of the auto-detected
282
+ * fingerprint built by `buildDeviceInfo()`. Only relevant when
283
+ * `autoDeviceInfo` is `true`.
284
+ */
285
+ deviceInfoOverride?: CustomDeviceInfo;
286
+ /**
287
+ * When provided, the SDK attaches a response interceptor that
288
+ * automatically retries failed requests (429 / 5xx / network errors)
289
+ * with exponential backoff. Pass `{}` for sensible defaults.
290
+ */
291
+ retryConfig?: RetryConfig;
292
+ }
293
+ /**
294
+ * Fully resolved configuration where every optional field has been
295
+ * filled with its default value. This is the shape used internally
296
+ * by TenxyteClient after calling {@link resolveConfig}.
297
+ */
298
+ interface ResolvedTenxyteConfig {
299
+ baseUrl: string;
300
+ headers: Record<string, string>;
301
+ storage: TenxyteStorage;
302
+ autoRefresh: boolean;
303
+ autoDeviceInfo: boolean;
304
+ timeoutMs: number | undefined;
305
+ onSessionExpired: (() => void) | undefined;
306
+ logger: TenxyteLogger;
307
+ logLevel: LogLevel;
308
+ deviceInfoOverride: CustomDeviceInfo | undefined;
309
+ retryConfig: RetryConfig | undefined;
310
+ }
311
+ /** Silent no-op logger used when the consumer does not provide one. */
312
+ declare const NOOP_LOGGER: TenxyteLogger;
313
+ /**
314
+ * Merges user-provided configuration with sensible defaults.
315
+ *
316
+ * Default values:
317
+ * - storage: new MemoryStorage()
318
+ * - autoRefresh: true
319
+ * - autoDeviceInfo: true
320
+ * - headers: {}
321
+ * - logLevel: 'silent'
322
+ * - logger: NOOP_LOGGER
323
+ */
324
+ declare function resolveConfig(config: TenxyteClientConfig): ResolvedTenxyteConfig;
325
+
326
+ interface components {
327
+ schemas: {
328
+ /**
329
+ * @description * `login` - Login
330
+ * * `login_failed` - Login Failed
331
+ * * `logout` - Logout
332
+ * * `logout_all` - Logout All Devices
333
+ * * `token_refresh` - Token Refresh
334
+ * * `password_change` - Password Changed
335
+ * * `password_reset_request` - Password Reset Requested
336
+ * * `password_reset_complete` - Password Reset Completed
337
+ * * `2fa_enabled` - 2FA Enabled
338
+ * * `2fa_disabled` - 2FA Disabled
339
+ * * `2fa_backup_used` - 2FA Backup Code Used
340
+ * * `account_created` - Account Created
341
+ * * `account_locked` - Account Locked
342
+ * * `account_unlocked` - Account Unlocked
343
+ * * `email_verified` - Email Verified
344
+ * * `phone_verified` - Phone Verified
345
+ * * `role_assigned` - Role Assigned
346
+ * * `role_removed` - Role Removed
347
+ * * `permission_changed` - Permission Changed
348
+ * * `app_created` - Application Created
349
+ * * `app_credentials_regenerated` - Application Credentials Regenerated
350
+ * * `account_deleted` - Account Deleted
351
+ * * `suspicious_activity` - Suspicious Activity Detected
352
+ * * `session_limit_exceeded` - Session Limit Exceeded
353
+ * * `device_limit_exceeded` - Device Limit Exceeded
354
+ * * `new_device_detected` - New Device Detected
355
+ * * `agent_action` - Agent Action Executed
356
+ * @enum {string}
357
+ */
358
+ ActionEnum: "login" | "login_failed" | "logout" | "logout_all" | "token_refresh" | "password_change" | "password_reset_request" | "password_reset_complete" | "2fa_enabled" | "2fa_disabled" | "2fa_backup_used" | "account_created" | "account_locked" | "account_unlocked" | "email_verified" | "phone_verified" | "role_assigned" | "role_removed" | "permission_changed" | "app_created" | "app_credentials_regenerated" | "account_deleted" | "suspicious_activity" | "session_limit_exceeded" | "device_limit_exceeded" | "new_device_detected" | "agent_action";
359
+ /** @description Full serializer for admin user detail view. */
360
+ AdminUserDetail: {
361
+ readonly id: string;
362
+ /** Format: email */
363
+ email?: string | null;
364
+ phone_country_code?: string | null;
365
+ phone_number?: string | null;
366
+ first_name?: string;
367
+ last_name?: string;
368
+ is_active?: boolean;
369
+ is_locked?: boolean;
370
+ /** Format: date-time */
371
+ locked_until?: string | null;
372
+ /** @description Permanent ban (manual admin action). Cannot be auto-lifted. */
373
+ is_banned?: boolean;
374
+ is_deleted?: boolean;
375
+ /** Format: date-time */
376
+ deleted_at?: string | null;
377
+ is_email_verified?: boolean;
378
+ is_phone_verified?: boolean;
379
+ is_2fa_enabled?: boolean;
380
+ is_staff?: boolean;
381
+ is_superuser?: boolean;
382
+ /**
383
+ * Format: int64
384
+ * @description Maximum concurrent sessions allowed (0 = unlimited)
385
+ */
386
+ max_sessions?: number;
387
+ /**
388
+ * Format: int64
389
+ * @description Maximum unique devices allowed (0 = unlimited)
390
+ */
391
+ max_devices?: number;
392
+ readonly roles: string[];
393
+ readonly permissions: string[];
394
+ /** Format: date-time */
395
+ readonly created_at: string;
396
+ /** Format: date-time */
397
+ readonly updated_at: string;
398
+ /** Format: date-time */
399
+ last_login?: string | null;
400
+ };
401
+ /** @description Lightweight serializer for admin user listing. */
402
+ AdminUserList: {
403
+ readonly id: string;
404
+ /** Format: email */
405
+ email?: string | null;
406
+ first_name?: string;
407
+ last_name?: string;
408
+ is_active?: boolean;
409
+ is_locked?: boolean;
410
+ /** @description Permanent ban (manual admin action). Cannot be auto-lifted. */
411
+ is_banned?: boolean;
412
+ is_deleted?: boolean;
413
+ is_email_verified?: boolean;
414
+ is_phone_verified?: boolean;
415
+ is_2fa_enabled?: boolean;
416
+ readonly roles: string[];
417
+ /** Format: date-time */
418
+ readonly created_at: string;
419
+ /** Format: date-time */
420
+ last_login?: string | null;
421
+ };
422
+ AgentConfirmRequest: {
423
+ /** @description Confirmation token de l'action */
424
+ token: string;
425
+ };
426
+ AgentErrorResponse: {
427
+ error: string;
428
+ code?: string;
429
+ };
430
+ AgentPendingActionList: {
431
+ id: number;
432
+ agent_id: string;
433
+ permission: string;
434
+ endpoint: string;
435
+ payload: {
436
+ [key: string]: unknown;
437
+ } | null;
438
+ confirmation_token: string;
439
+ /** Format: date-time */
440
+ expires_at: string;
441
+ /** Format: date-time */
442
+ created_at: string;
443
+ };
444
+ AgentReportUsageBudget: {
445
+ error: string;
446
+ status: string;
447
+ };
448
+ AgentReportUsageRequest: {
449
+ /**
450
+ * Format: double
451
+ * @description Coût en USD de la session
452
+ */
453
+ cost_usd: number;
454
+ /** @description Tokens prompt consommés */
455
+ prompt_tokens: number;
456
+ /** @description Tokens completion consommés */
457
+ completion_tokens: number;
458
+ };
459
+ AgentRevokeAllOk: {
460
+ status: string;
461
+ /** @description Nombre de tokens révoqués */
462
+ count: number;
463
+ };
464
+ AgentSuccessResponse: {
465
+ status: string;
466
+ };
467
+ AgentTokenCreateRequest: {
468
+ /** @description Identifiant de l'agent (ex: 'my-bot-v1') */
469
+ agent_id: string;
470
+ /** @description Durée de validité en secondes */
471
+ expires_in?: number;
472
+ /** @description Liste des permissions demandées */
473
+ permissions?: string[];
474
+ /** @description Slug organisation (alternatif à X-Org-Slug header) */
475
+ organization?: string;
476
+ /**
477
+ * Format: double
478
+ * @description Budget max en USD
479
+ */
480
+ budget_limit_usd?: number;
481
+ circuit_breaker?: {
482
+ [key: string]: unknown;
483
+ };
484
+ dead_mans_switch?: {
485
+ [key: string]: unknown;
486
+ };
487
+ };
488
+ AgentTokenCreated: {
489
+ id: number;
490
+ /** @description Token brut AgentBearer (secret, à stocker) */
491
+ token: string;
492
+ agent_id: string;
493
+ status: string;
494
+ /** Format: date-time */
495
+ expires_at: string;
496
+ };
497
+ AgentTokenDetail: {
498
+ id: number;
499
+ agent_id: string;
500
+ status: string;
501
+ /** Format: date-time */
502
+ expires_at: string;
503
+ /** Format: date-time */
504
+ created_at: string;
505
+ organization: string | null;
506
+ current_request_count: number;
507
+ };
508
+ AgentTokenList: {
509
+ id: number;
510
+ agent_id: string;
511
+ status: string;
512
+ /** Format: date-time */
513
+ expires_at: string;
514
+ /** Format: date-time */
515
+ created_at: string;
516
+ organization: string | null;
517
+ current_request_count: number;
518
+ };
519
+ /** @description Serializer pour afficher les applications (sans le secret) */
520
+ Application: {
521
+ readonly id: string;
522
+ name: string;
523
+ description?: string;
524
+ readonly access_key: string;
525
+ is_active?: boolean;
526
+ /** Format: date-time */
527
+ readonly created_at: string;
528
+ /** Format: date-time */
529
+ readonly updated_at: string;
530
+ };
531
+ /** @description Serializer pour créer une application */
532
+ ApplicationCreate: {
533
+ name: string;
534
+ /** @default */
535
+ description: string;
536
+ };
537
+ /** @description Serializer pour mettre à jour une application */
538
+ ApplicationUpdate: {
539
+ name?: string;
540
+ description?: string;
541
+ is_active?: boolean;
542
+ };
543
+ AssignRole: {
544
+ role_code: string;
545
+ };
546
+ /** @description Serializer for audit log entries. */
547
+ AuditLog: {
548
+ readonly id: string;
549
+ user?: number | null;
550
+ readonly user_email: string;
551
+ action: components["schemas"]["ActionEnum"];
552
+ ip_address?: string | null;
553
+ user_agent?: string;
554
+ application?: number | null;
555
+ readonly application_name: string;
556
+ details?: unknown;
557
+ /** Format: date-time */
558
+ readonly created_at: string;
559
+ };
560
+ /** @description Serializer for banning a user. */
561
+ BanUser: {
562
+ /**
563
+ * @description Reason for the ban (stored in audit log)
564
+ * @default
565
+ */
566
+ reason: string;
567
+ };
568
+ /** @description Serializer for blacklisted JWT tokens. */
569
+ BlacklistedToken: {
570
+ readonly id: string;
571
+ token_jti: string;
572
+ user?: number | null;
573
+ readonly user_email: string;
574
+ /** Format: date-time */
575
+ readonly blacklisted_at: string;
576
+ /** Format: date-time */
577
+ expires_at: string;
578
+ reason?: string;
579
+ readonly is_expired: string;
580
+ };
581
+ CancelAccountDeletion: {
582
+ /** @description Mot de passe actuel requis pour annulation */
583
+ password: string;
584
+ };
585
+ ChangePassword: {
586
+ current_password: string;
587
+ new_password: string;
588
+ };
589
+ /** @description Serializer for admin deletion request listing/detail. */
590
+ DeletionRequest: {
591
+ readonly id: string;
592
+ user: number;
593
+ readonly user_email: string;
594
+ status?: components["schemas"]["StatusEnum"];
595
+ /** Format: date-time */
596
+ readonly requested_at: string;
597
+ /** Format: date-time */
598
+ confirmed_at?: string | null;
599
+ /** Format: date-time */
600
+ grace_period_ends_at?: string | null;
601
+ /** Format: date-time */
602
+ completed_at?: string | null;
603
+ ip_address?: string | null;
604
+ /** @description Optional reason for deletion request */
605
+ reason?: string;
606
+ admin_notes?: string;
607
+ processed_by?: number | null;
608
+ readonly processed_by_email: string;
609
+ readonly is_grace_period_expired: string;
610
+ };
611
+ ExportUserData: {
612
+ /** @description Mot de passe actuel requis pour exporter les données */
613
+ password: string;
614
+ };
615
+ /** @description Serializer for locking a user account. */
616
+ LockUser: {
617
+ /**
618
+ * @description Lock duration in minutes (default: 30, max: 30 days)
619
+ * @default 30
620
+ */
621
+ duration_minutes: number;
622
+ /**
623
+ * @description Reason for the lock (stored in audit log)
624
+ * @default
625
+ */
626
+ reason: string;
627
+ };
628
+ /** @description Serializer for login attempt records. */
629
+ LoginAttempt: {
630
+ readonly id: string;
631
+ identifier: string;
632
+ ip_address: string;
633
+ application?: number | null;
634
+ success?: boolean;
635
+ failure_reason?: string;
636
+ /** Format: date-time */
637
+ readonly created_at: string;
638
+ };
639
+ LoginEmail: {
640
+ /** Format: email */
641
+ email: string;
642
+ password: string;
643
+ /** @description Code 2FA (requis si 2FA activé) */
644
+ totp_code?: string;
645
+ /**
646
+ * @description Device info au format v1 (ex: v=1|os=windows;osv=11|device=desktop)
647
+ * @default
648
+ */
649
+ device_info: string;
650
+ };
651
+ LoginPhone: {
652
+ phone_country_code: string;
653
+ phone_number: string;
654
+ password: string;
655
+ /** @description Code 2FA (requis si 2FA activé) */
656
+ totp_code?: string;
657
+ /**
658
+ * @description Device info au format v1 (ex: v=1|os=windows;osv=11|device=desktop)
659
+ * @default
660
+ */
661
+ device_info: string;
662
+ };
663
+ MagicLinkRequest: {
664
+ /**
665
+ * Format: email
666
+ * @description Adresse email pour recevoir le magic link
667
+ */
668
+ email: string;
669
+ /**
670
+ * Format: uri
671
+ * @description URL pour construire le lien de vérification (obligatoire)
672
+ */
673
+ validation_url: string;
674
+ };
675
+ ManageRolePermissions: {
676
+ /** @description Liste des codes de permissions à ajouter ou retirer */
677
+ permission_codes: string[];
678
+ };
679
+ /**
680
+ * @description * `email` - email
681
+ * * `phone` - phone
682
+ * @enum {string}
683
+ */
684
+ OtpTypeEnum: "email" | "phone";
685
+ PaginatedAdminUserListList: {
686
+ /**
687
+ * @description Total number of items
688
+ * @example 150
689
+ */
690
+ count: number;
691
+ /**
692
+ * @description Current page number
693
+ * @example 1
694
+ */
695
+ page?: number;
696
+ /**
697
+ * @description Items per page
698
+ * @example 20
699
+ */
700
+ page_size?: number;
701
+ /**
702
+ * @description Total number of pages
703
+ * @example 8
704
+ */
705
+ total_pages?: number;
706
+ /**
707
+ * Format: uri
708
+ * @description URL to the next page
709
+ */
710
+ next?: string | null;
711
+ /**
712
+ * Format: uri
713
+ * @description URL to the previous page
714
+ */
715
+ previous?: string | null;
716
+ results: components["schemas"]["AdminUserList"][];
717
+ };
718
+ PaginatedApplicationList: {
719
+ /**
720
+ * @description Total number of items
721
+ * @example 150
722
+ */
723
+ count: number;
724
+ /**
725
+ * @description Current page number
726
+ * @example 1
727
+ */
728
+ page?: number;
729
+ /**
730
+ * @description Items per page
731
+ * @example 20
732
+ */
733
+ page_size?: number;
734
+ /**
735
+ * @description Total number of pages
736
+ * @example 8
737
+ */
738
+ total_pages?: number;
739
+ /**
740
+ * Format: uri
741
+ * @description URL to the next page
742
+ */
743
+ next?: string | null;
744
+ /**
745
+ * Format: uri
746
+ * @description URL to the previous page
747
+ */
748
+ previous?: string | null;
749
+ results: components["schemas"]["Application"][];
750
+ };
751
+ PaginatedAuditLogList: {
752
+ /**
753
+ * @description Total number of items
754
+ * @example 150
755
+ */
756
+ count: number;
757
+ /**
758
+ * @description Current page number
759
+ * @example 1
760
+ */
761
+ page?: number;
762
+ /**
763
+ * @description Items per page
764
+ * @example 20
765
+ */
766
+ page_size?: number;
767
+ /**
768
+ * @description Total number of pages
769
+ * @example 8
770
+ */
771
+ total_pages?: number;
772
+ /**
773
+ * Format: uri
774
+ * @description URL to the next page
775
+ */
776
+ next?: string | null;
777
+ /**
778
+ * Format: uri
779
+ * @description URL to the previous page
780
+ */
781
+ previous?: string | null;
782
+ results: components["schemas"]["AuditLog"][];
783
+ };
784
+ PaginatedBlacklistedTokenList: {
785
+ /**
786
+ * @description Total number of items
787
+ * @example 150
788
+ */
789
+ count: number;
790
+ /**
791
+ * @description Current page number
792
+ * @example 1
793
+ */
794
+ page?: number;
795
+ /**
796
+ * @description Items per page
797
+ * @example 20
798
+ */
799
+ page_size?: number;
800
+ /**
801
+ * @description Total number of pages
802
+ * @example 8
803
+ */
804
+ total_pages?: number;
805
+ /**
806
+ * Format: uri
807
+ * @description URL to the next page
808
+ */
809
+ next?: string | null;
810
+ /**
811
+ * Format: uri
812
+ * @description URL to the previous page
813
+ */
814
+ previous?: string | null;
815
+ results: components["schemas"]["BlacklistedToken"][];
816
+ };
817
+ PaginatedLoginAttemptList: {
818
+ /**
819
+ * @description Total number of items
820
+ * @example 150
821
+ */
822
+ count: number;
823
+ /**
824
+ * @description Current page number
825
+ * @example 1
826
+ */
827
+ page?: number;
828
+ /**
829
+ * @description Items per page
830
+ * @example 20
831
+ */
832
+ page_size?: number;
833
+ /**
834
+ * @description Total number of pages
835
+ * @example 8
836
+ */
837
+ total_pages?: number;
838
+ /**
839
+ * Format: uri
840
+ * @description URL to the next page
841
+ */
842
+ next?: string | null;
843
+ /**
844
+ * Format: uri
845
+ * @description URL to the previous page
846
+ */
847
+ previous?: string | null;
848
+ results: components["schemas"]["LoginAttempt"][];
849
+ };
850
+ PaginatedPermissionList: {
851
+ /**
852
+ * @description Total number of items
853
+ * @example 150
854
+ */
855
+ count: number;
856
+ /**
857
+ * @description Current page number
858
+ * @example 1
859
+ */
860
+ page?: number;
861
+ /**
862
+ * @description Items per page
863
+ * @example 20
864
+ */
865
+ page_size?: number;
866
+ /**
867
+ * @description Total number of pages
868
+ * @example 8
869
+ */
870
+ total_pages?: number;
871
+ /**
872
+ * Format: uri
873
+ * @description URL to the next page
874
+ */
875
+ next?: string | null;
876
+ /**
877
+ * Format: uri
878
+ * @description URL to the previous page
879
+ */
880
+ previous?: string | null;
881
+ results: components["schemas"]["Permission"][];
882
+ };
883
+ PaginatedRefreshTokenAdminList: {
884
+ /**
885
+ * @description Total number of items
886
+ * @example 150
887
+ */
888
+ count: number;
889
+ /**
890
+ * @description Current page number
891
+ * @example 1
892
+ */
893
+ page?: number;
894
+ /**
895
+ * @description Items per page
896
+ * @example 20
897
+ */
898
+ page_size?: number;
899
+ /**
900
+ * @description Total number of pages
901
+ * @example 8
902
+ */
903
+ total_pages?: number;
904
+ /**
905
+ * Format: uri
906
+ * @description URL to the next page
907
+ */
908
+ next?: string | null;
909
+ /**
910
+ * Format: uri
911
+ * @description URL to the previous page
912
+ */
913
+ previous?: string | null;
914
+ results: components["schemas"]["RefreshTokenAdmin"][];
915
+ };
916
+ PaginatedRoleListList: {
917
+ /**
918
+ * @description Total number of items
919
+ * @example 150
920
+ */
921
+ count: number;
922
+ /**
923
+ * @description Current page number
924
+ * @example 1
925
+ */
926
+ page?: number;
927
+ /**
928
+ * @description Items per page
929
+ * @example 20
930
+ */
931
+ page_size?: number;
932
+ /**
933
+ * @description Total number of pages
934
+ * @example 8
935
+ */
936
+ total_pages?: number;
937
+ /**
938
+ * Format: uri
939
+ * @description URL to the next page
940
+ */
941
+ next?: string | null;
942
+ /**
943
+ * Format: uri
944
+ * @description URL to the previous page
945
+ */
946
+ previous?: string | null;
947
+ results: components["schemas"]["RoleList"][];
948
+ };
949
+ PasswordResetConfirm: {
950
+ code: string;
951
+ new_password: string;
952
+ };
953
+ PasswordResetRequest: {
954
+ /** Format: email */
955
+ email?: string;
956
+ phone_country_code?: string;
957
+ phone_number?: string;
958
+ };
959
+ PasswordStrengthRequest: {
960
+ password: string;
961
+ /** Format: email */
962
+ email?: string;
963
+ };
964
+ /** @description Serializer for admin user updates (partial). */
965
+ PatchedAdminUserUpdate: {
966
+ first_name?: string;
967
+ last_name?: string;
968
+ is_active?: boolean;
969
+ is_staff?: boolean;
970
+ is_superuser?: boolean;
971
+ max_sessions?: number;
972
+ max_devices?: number;
973
+ };
974
+ PatchedToggleApplicationStatus: {
975
+ /** @description Nouveau statut actif de l'application */
976
+ is_active?: boolean;
977
+ };
978
+ PatchedUpdateProfileRequest: {
979
+ /** @description Prénom (max 30 caractères) */
980
+ first_name?: string;
981
+ /** @description Nom (max 30 caractères) */
982
+ last_name?: string;
983
+ /** @description Nom d'utilisateur unique (alphanumérique + underscores) */
984
+ username?: string;
985
+ /** @description Numéro de téléphone au format international (+33612345678) */
986
+ phone?: string;
987
+ /** @description Biographie (max 500 caractères) */
988
+ bio?: string;
989
+ /** @description Fuseau horaire (ex: Europe/Paris, America/New_York) */
990
+ timezone?: string;
991
+ /** @description Langue préférée */
992
+ language?: string;
993
+ /** @description Champs personnalisés (selon configuration organisation) */
994
+ custom_fields?: {
995
+ [key: string]: unknown;
996
+ };
997
+ };
998
+ Permission: {
999
+ readonly id: string;
1000
+ code: string;
1001
+ name: string;
1002
+ description?: string;
1003
+ readonly parent: {
1004
+ [key: string]: unknown;
1005
+ } | null;
1006
+ /** @description Code de la permission parente (hiérarchie) */
1007
+ parent_code?: string | null;
1008
+ readonly children: {
1009
+ [key: string]: unknown;
1010
+ }[];
1011
+ /** Format: date-time */
1012
+ readonly created_at: string;
1013
+ };
1014
+ ProcessDeletionRequest: {
1015
+ /** @description Texte de confirmation "PERMANENTLY DELETE" */
1016
+ confirmation: string;
1017
+ /** @description Notes administratives optionnelles */
1018
+ admin_notes?: string;
1019
+ };
1020
+ RefreshToken: {
1021
+ refresh_token: string;
1022
+ };
1023
+ /** @description Serializer for refresh tokens (admin view, token value hidden). */
1024
+ RefreshTokenAdmin: {
1025
+ readonly id: string;
1026
+ user: number;
1027
+ readonly user_email: string;
1028
+ application: number;
1029
+ readonly application_name: string;
1030
+ device_info?: string;
1031
+ ip_address?: string | null;
1032
+ is_revoked?: boolean;
1033
+ readonly is_expired: string;
1034
+ /** Format: date-time */
1035
+ expires_at: string;
1036
+ /** Format: date-time */
1037
+ readonly created_at: string;
1038
+ /** Format: date-time */
1039
+ readonly last_used_at: string;
1040
+ };
1041
+ RegenerateApplicationCredentials: {
1042
+ /** @description Texte de confirmation "REGENERATE" */
1043
+ confirmation: string;
1044
+ };
1045
+ Register: {
1046
+ /** Format: email */
1047
+ email?: string | null;
1048
+ phone_country_code?: string | null;
1049
+ phone_number?: string | null;
1050
+ password: string;
1051
+ /** @default */
1052
+ first_name: string;
1053
+ /** @default */
1054
+ last_name: string;
1055
+ /**
1056
+ * @description Si True, l'utilisateur est connecté immédiatement après l'inscription (tokens JWT retournés)
1057
+ * @default false
1058
+ */
1059
+ login: boolean;
1060
+ /**
1061
+ * @description Device info au format v1 (ex: v=1|os=windows;osv=11|device=desktop)
1062
+ * @default
1063
+ */
1064
+ device_info: string;
1065
+ };
1066
+ RequestAccountDeletion: {
1067
+ /** @description Mot de passe actuel requis pour confirmation */
1068
+ password: string;
1069
+ /** @description Code OTP à 6 chiffres (requis si 2FA activé) */
1070
+ otp_code?: string;
1071
+ /** @description Raison optionnelle de la suppression */
1072
+ reason?: string;
1073
+ };
1074
+ RequestOTP: {
1075
+ otp_type: components["schemas"]["OtpTypeEnum"];
1076
+ };
1077
+ Role: {
1078
+ readonly id: string;
1079
+ code: string;
1080
+ name: string;
1081
+ description?: string;
1082
+ readonly permissions: components["schemas"]["Permission"][];
1083
+ permission_codes?: string[];
1084
+ is_default?: boolean;
1085
+ /** Format: date-time */
1086
+ readonly created_at: string;
1087
+ /** Format: date-time */
1088
+ readonly updated_at: string;
1089
+ };
1090
+ /** @description Version allégée pour les listes */
1091
+ RoleList: {
1092
+ readonly id: string;
1093
+ code: string;
1094
+ name: string;
1095
+ is_default?: boolean;
1096
+ };
1097
+ SocialAuthRequest: {
1098
+ /** @description OAuth2 access token du provider */
1099
+ access_token?: string;
1100
+ /** @description Authorization code flow */
1101
+ code?: string;
1102
+ /** @description URI de redirection (requis avec code) */
1103
+ redirect_uri?: string;
1104
+ /** @description Google ID token uniquement */
1105
+ id_token?: string;
1106
+ /** @description Informations device (optionnel) */
1107
+ device_info?: string;
1108
+ };
1109
+ SocialCallbackError: {
1110
+ error: string;
1111
+ code: string;
1112
+ };
1113
+ SocialCallbackRedirect: {
1114
+ /** @description URL de redirection avec tokens en paramètres query */
1115
+ location: string;
1116
+ };
1117
+ SocialCallbackResponse: {
1118
+ access: string;
1119
+ refresh: string;
1120
+ provider: string;
1121
+ is_new_user: boolean;
1122
+ };
1123
+ SocialCallbackUnauthorized: {
1124
+ error: string;
1125
+ code: string;
1126
+ };
1127
+ /**
1128
+ * @description * `pending` - Pending
1129
+ * * `confirmation_sent` - Confirmation Sent
1130
+ * * `confirmed` - Confirmed
1131
+ * * `completed` - Completed
1132
+ * * `cancelled` - Cancelled
1133
+ * @enum {string}
1134
+ */
1135
+ StatusEnum: "pending" | "confirmation_sent" | "confirmed" | "completed" | "cancelled";
1136
+ TokenRequest: {
1137
+ /** @description Confirmation token de l'action */
1138
+ token: string;
1139
+ };
1140
+ TwoFactorBackupCodesRequest: {
1141
+ /** @description Code TOTP à 6 chiffres pour validation */
1142
+ code: string;
1143
+ };
1144
+ TwoFactorConfirmRequest: {
1145
+ /** @description Code TOTP à 6 chiffres */
1146
+ code: string;
1147
+ };
1148
+ TwoFactorDisableRequest: {
1149
+ /** @description Code TOTP ou code de secours à 8 chiffres */
1150
+ code: string;
1151
+ /** @description Mot de passe de l'utilisateur pour confirmation */
1152
+ password: string;
1153
+ };
1154
+ VerifyOTP: {
1155
+ code: string;
1156
+ };
1157
+ WebAuthnAuthenticateBeginRequest: {
1158
+ /**
1159
+ * Format: email
1160
+ * @description Optionnel — pour credentials utilisateur spécifiques
1161
+ */
1162
+ email?: string;
1163
+ };
1164
+ WebAuthnAuthenticateCompleteRequest: {
1165
+ /** @description ID du challenge généré */
1166
+ challenge_id: number;
1167
+ /** @description Assertion WebAuthn du navigateur */
1168
+ credential: {
1169
+ [key: string]: unknown;
1170
+ };
1171
+ /** @description Informations sur le device (optionnel) */
1172
+ device_info?: string;
1173
+ };
1174
+ WebAuthnRegisterCompleteRequest: {
1175
+ /** @description ID du challenge généré */
1176
+ challenge_id: number;
1177
+ /** @description Credential WebAuthn du navigateur */
1178
+ credential: {
1179
+ [key: string]: unknown;
1180
+ };
1181
+ /** @description Nom optionnel du device */
1182
+ device_name?: string;
1183
+ };
1184
+ User: {
1185
+ /** Format: uuid */
1186
+ id?: string;
1187
+ email?: string;
1188
+ phone_country_code?: string | null;
1189
+ phone_number?: string | null;
1190
+ first_name?: string;
1191
+ last_name?: string;
1192
+ is_email_verified?: boolean;
1193
+ is_phone_verified?: boolean;
1194
+ is_2fa_enabled?: boolean;
1195
+ roles?: string[];
1196
+ permissions?: string[];
1197
+ /** Format: date-time */
1198
+ created_at?: string;
1199
+ /** Format: date-time */
1200
+ last_login?: string | null;
1201
+ };
1202
+ };
1203
+ responses: never;
1204
+ parameters: never;
1205
+ requestBodies: never;
1206
+ headers: never;
1207
+ pathItems: never;
1208
+ }
1209
+
1210
+ type GeneratedSchema = components['schemas'];
1211
+ /**
1212
+ * Core User Interface exposed by the SDK.
1213
+ * Represents the authenticated entity bound to the active session.
1214
+ */
1215
+ interface TenxyteUser {
1216
+ id: string;
1217
+ email: string | null;
1218
+ phone_country_code: string | null;
1219
+ phone_number: string | null;
1220
+ first_name: string;
1221
+ last_name: string;
1222
+ is_email_verified: boolean;
1223
+ is_phone_verified: boolean;
1224
+ is_2fa_enabled: boolean;
1225
+ roles: string[];
1226
+ permissions: string[];
1227
+ created_at: string;
1228
+ last_login: string | null;
1229
+ }
1230
+ /**
1231
+ * Standard SDK Token Pair (internal structure normalized by interceptors).
1232
+ * These are managed automatically if auto-refresh is enabled.
1233
+ */
1234
+ interface TokenPair {
1235
+ access_token: string;
1236
+ refresh_token: string;
1237
+ token_type: 'Bearer';
1238
+ expires_in: number;
1239
+ device_summary: string | null;
1240
+ }
1241
+ /**
1242
+ * Standardized API Error Response wrapper thrown by network interceptors.
1243
+ */
1244
+ interface TenxyteError {
1245
+ error: string;
1246
+ code: TenxyteErrorCode;
1247
+ details?: Record<string, string[]> | string;
1248
+ retry_after?: number;
1249
+ }
1250
+ type TenxyteErrorCode = 'LOGIN_FAILED' | 'INVALID_CREDENTIALS' | 'ACCOUNT_LOCKED' | 'ACCOUNT_BANNED' | '2FA_REQUIRED' | 'ADMIN_2FA_SETUP_REQUIRED' | 'TOKEN_EXPIRED' | 'TOKEN_BLACKLISTED' | 'REFRESH_FAILED' | 'PERMISSION_DENIED' | 'SESSION_LIMIT_EXCEEDED' | 'DEVICE_LIMIT_EXCEEDED' | 'RATE_LIMITED' | 'INVALID_OTP' | 'OTP_EXPIRED' | 'INVALID_PROVIDER' | 'SOCIAL_AUTH_FAILED' | 'VALIDATION_URL_REQUIRED' | 'INVALID_TOKEN' | 'CONFIRMATION_REQUIRED' | 'PASSWORD_REQUIRED' | 'INVALID_PASSWORD' | 'INVALID_DEVICE_INFO' | 'ORG_NOT_FOUND' | 'NOT_ORG_MEMBER' | 'NOT_OWNER' | 'ALREADY_MEMBER' | 'MEMBER_LIMIT_EXCEEDED' | 'HAS_CHILDREN' | 'CIRCULAR_HIERARCHY' | 'LAST_OWNER_REQUIRED' | 'INVITATION_EXISTS' | 'INVALID_ROLE' | 'AGENT_NOT_FOUND' | 'AGENT_SUSPENDED' | 'AGENT_REVOKED' | 'AGENT_EXPIRED' | 'BUDGET_EXCEEDED' | 'RATE_LIMIT_EXCEEDED' | 'HEARTBEAT_MISSING' | 'AIRS_DISABLED' | 'TIMEOUT' | 'NETWORK_ERROR';
1251
+ /**
1252
+ * Organization Structure defining a B2B tenant or hierarchical unit.
1253
+ */
1254
+ interface Organization {
1255
+ id: number;
1256
+ name: string;
1257
+ slug: string;
1258
+ description: string | null;
1259
+ metadata: Record<string, unknown> | null;
1260
+ is_active: boolean;
1261
+ max_members: number;
1262
+ member_count: number;
1263
+ created_at: string;
1264
+ updated_at: string;
1265
+ parent: {
1266
+ id: number;
1267
+ name: string;
1268
+ slug: string;
1269
+ } | null;
1270
+ children: Array<{
1271
+ id: number;
1272
+ name: string;
1273
+ slug: string;
1274
+ }>;
1275
+ user_role: string | null;
1276
+ user_permissions: string[];
1277
+ }
1278
+ /**
1279
+ * Base Pagination Response wrapper
1280
+ */
1281
+ interface PaginatedResponse<T> {
1282
+ count: number;
1283
+ page: number;
1284
+ page_size: number;
1285
+ total_pages: number;
1286
+ next: string | null;
1287
+ previous: string | null;
1288
+ results: T[];
1289
+ }
1290
+ /**
1291
+ * AIRS Agent Token metadata
1292
+ */
1293
+ interface AgentTokenSummary {
1294
+ id: number;
1295
+ agent_id: string;
1296
+ status: 'ACTIVE' | 'SUSPENDED' | 'REVOKED' | 'EXPIRED';
1297
+ expires_at: string;
1298
+ created_at: string;
1299
+ organization: string | null;
1300
+ current_request_count: number;
1301
+ }
1302
+ /**
1303
+ * Request awaiting Human-In-The-Loop approval
1304
+ */
1305
+ interface AgentPendingAction {
1306
+ id: number;
1307
+ agent_id: string;
1308
+ permission: string;
1309
+ endpoint: string;
1310
+ payload: unknown;
1311
+ confirmation_token: string;
1312
+ expires_at: string;
1313
+ created_at: string;
1314
+ }
1315
+
1316
+ interface LoginEmailOptions {
1317
+ totp_code?: string;
1318
+ }
1319
+ interface LoginPhoneOptions {
1320
+ totp_code?: string;
1321
+ }
1322
+ interface RegisterRequest {
1323
+ /** Email address (required unless phone-based registration). */
1324
+ email?: string | null;
1325
+ /** International phone country code (e.g. "+33"). */
1326
+ phone_country_code?: string | null;
1327
+ /** Phone number without country code. */
1328
+ phone_number?: string | null;
1329
+ /** Account password. */
1330
+ password: string;
1331
+ /** User's first name. */
1332
+ first_name?: string;
1333
+ /** User's last name. */
1334
+ last_name?: string;
1335
+ /** Username (if enabled by the backend). */
1336
+ username?: string;
1337
+ /** If true, the user is logged in immediately after registration (JWT tokens returned). */
1338
+ login?: boolean;
1339
+ }
1340
+ interface MagicLinkRequest {
1341
+ email: string;
1342
+ /** URL used to build the verification link (required). */
1343
+ validation_url: string;
1344
+ }
1345
+ interface SocialLoginRequest {
1346
+ access_token?: string;
1347
+ authorization_code?: string;
1348
+ id_token?: string;
1349
+ }
1350
+ /** Response from the registration endpoint (may include tokens if `login: true`). */
1351
+ interface RegisterResponse {
1352
+ message?: string;
1353
+ user_id?: string;
1354
+ access_token?: string;
1355
+ refresh_token?: string;
1356
+ token_type?: string;
1357
+ expires_in?: number;
1358
+ }
1359
+ /** Response from the magic link request endpoint. */
1360
+ interface MagicLinkResponse {
1361
+ message?: string;
1362
+ expires_in_minutes?: number;
1363
+ /** Masked email for security. */
1364
+ sent_to?: string;
1365
+ }
1366
+ declare class AuthModule {
1367
+ private client;
1368
+ private storage?;
1369
+ private onTokens?;
1370
+ private onLogout?;
1371
+ constructor(client: TenxyteHttpClient, storage?: TenxyteStorage | undefined, onTokens?: ((accessToken: string, refreshToken?: string) => void) | undefined, onLogout?: (() => void) | undefined);
1372
+ private clearTokens;
1373
+ private persistTokens;
1374
+ /**
1375
+ * Authenticate a user with their email and password.
1376
+ * @param data - The login credentials and optional TOTP code if 2FA is required.
1377
+ * @returns A pair of Access and Refresh tokens upon successful authentication.
1378
+ * @throws {TenxyteError} If credentials are invalid, or if `2FA_REQUIRED` without a valid `totp_code`.
1379
+ */
1380
+ loginWithEmail(data: GeneratedSchema['LoginEmail']): Promise<TokenPair>;
1381
+ /**
1382
+ * Authenticate a user with an international phone number and password.
1383
+ * @param data - The login credentials and optional TOTP code if 2FA is required.
1384
+ * @returns A pair of Access and Refresh tokens.
1385
+ */
1386
+ loginWithPhone(data: GeneratedSchema['LoginPhone']): Promise<TokenPair>;
1387
+ /**
1388
+ * Registers a new user account.
1389
+ * @param data - The registration details (email, password, etc.).
1390
+ * @returns The registered user data or a confirmation message.
1391
+ */
1392
+ register(data: RegisterRequest): Promise<RegisterResponse>;
1393
+ /**
1394
+ * Logout from the current session.
1395
+ * Informs the backend to immediately revoke the specified refresh token.
1396
+ * @param refreshToken - The refresh token to revoke.
1397
+ */
1398
+ logout(refreshToken: string): Promise<void>;
1399
+ /**
1400
+ * Logout from all sessions across all devices.
1401
+ * Revokes all refresh tokens currently assigned to the user.
1402
+ */
1403
+ logoutAll(): Promise<void>;
1404
+ /**
1405
+ * Manually refresh the access token using a valid refresh token.
1406
+ * The refresh token is automatically rotated for improved security.
1407
+ * @param refreshToken - The current refresh token.
1408
+ * @returns A new token pair (access + rotated refresh).
1409
+ */
1410
+ refreshToken(refreshToken: string): Promise<TokenPair>;
1411
+ /**
1412
+ * Request a Magic Link for passwordless sign-in.
1413
+ * @param data - The email to send the logic link to.
1414
+ */
1415
+ requestMagicLink(data: MagicLinkRequest): Promise<MagicLinkResponse>;
1416
+ /**
1417
+ * Verifies a magic link token extracted from the URL.
1418
+ * @param token - The cryptographic token received via email.
1419
+ * @returns A session token pair if the token is valid and unexpired.
1420
+ */
1421
+ verifyMagicLink(token: string): Promise<TokenPair>;
1422
+ /**
1423
+ * Submits OAuth2 Social Authentication payloads to the backend.
1424
+ * Can be used with native mobile SDK tokens (like Apple Sign-In JWTs).
1425
+ * @param provider - The OAuth provider ('google', 'github', etc.)
1426
+ * @param data - The OAuth tokens (access_token, id_token, etc.)
1427
+ * @returns An active session token pair.
1428
+ */
1429
+ loginWithSocial(provider: 'google' | 'github' | 'microsoft' | 'facebook', data: SocialLoginRequest): Promise<TokenPair>;
1430
+ /**
1431
+ * Handle Social Auth Callbacks (Authorization Code flow).
1432
+ * @param provider - The OAuth provider ('google', 'github', etc.)
1433
+ * @param code - The authorization code retrieved from the query string parameters.
1434
+ * @param redirectUri - The original redirect URI that was requested.
1435
+ * @returns An active session token pair after successful code exchange.
1436
+ */
1437
+ handleSocialCallback(provider: 'google' | 'github' | 'microsoft' | 'facebook', code: string, redirectUri: string): Promise<TokenPair>;
1438
+ }
1439
+
1440
+ declare class SecurityModule {
1441
+ private client;
1442
+ constructor(client: TenxyteHttpClient);
1443
+ /**
1444
+ * Get the current 2FA status for the authenticated user.
1445
+ * @returns Information about whether 2FA is enabled and how many backup codes remain.
1446
+ */
1447
+ get2FAStatus(): Promise<{
1448
+ is_enabled: boolean;
1449
+ backup_codes_remaining: number;
1450
+ }>;
1451
+ /**
1452
+ * Start the 2FA enrollment process.
1453
+ * @returns The secret key and QR code URL to be scanned by an Authenticator app.
1454
+ */
1455
+ setup2FA(): Promise<{
1456
+ message: string;
1457
+ secret: string;
1458
+ manual_entry_key: string;
1459
+ qr_code: string;
1460
+ provisioning_uri: string;
1461
+ backup_codes: string[];
1462
+ warning: string;
1463
+ }>;
1464
+ /**
1465
+ * Confirm the 2FA setup by providing the first TOTP code generated by the Authenticator app.
1466
+ * @param totpCode - The 6-digit code.
1467
+ */
1468
+ confirm2FA(totpCode: string): Promise<{
1469
+ message: string;
1470
+ is_enabled: boolean;
1471
+ enabled_at: string;
1472
+ }>;
1473
+ /**
1474
+ * Disable 2FA for the current user.
1475
+ * Usually requires re-authentication or providing the active password/totp code.
1476
+ * @param totpCode - The current 6-digit code to verify intent.
1477
+ * @param password - (Optional) The user's password if required by backend policy.
1478
+ */
1479
+ disable2FA(totpCode: string, password?: string): Promise<{
1480
+ message: string;
1481
+ is_enabled: boolean;
1482
+ disabled_at: string;
1483
+ backup_codes_invalidated: boolean;
1484
+ }>;
1485
+ /**
1486
+ * Invalidate old backup codes and explicitly generate a new batch.
1487
+ * @param totpCode - An active TOTP code to verify intent.
1488
+ */
1489
+ regenerateBackupCodes(totpCode: string): Promise<{
1490
+ message: string;
1491
+ backup_codes: string[];
1492
+ codes_count: number;
1493
+ generated_at?: string;
1494
+ warning: string;
1495
+ }>;
1496
+ /**
1497
+ * Request an OTP code to be dispatched to the user's primary contact method.
1498
+ * @param type - The channel type ('email' or 'phone').
1499
+ */
1500
+ requestOtp(type: 'email' | 'phone'): Promise<{
1501
+ message: string;
1502
+ otp_id: number;
1503
+ expires_at: string;
1504
+ channel: 'email' | 'phone';
1505
+ masked_recipient: string;
1506
+ }>;
1507
+ /**
1508
+ * Verify an email confirmation OTP.
1509
+ * @param code - The numeric code received via email.
1510
+ */
1511
+ verifyOtpEmail(code: string): Promise<{
1512
+ message: string;
1513
+ email_verified: boolean;
1514
+ verified_at: string;
1515
+ }>;
1516
+ /**
1517
+ * Verify a phone confirmation OTP (SMS dispatch).
1518
+ * @param code - The numeric code received via SMS.
1519
+ */
1520
+ verifyOtpPhone(code: string): Promise<{
1521
+ message: string;
1522
+ phone_verified: boolean;
1523
+ verified_at: string;
1524
+ phone_number: string;
1525
+ }>;
1526
+ /**
1527
+ * Triggers a password reset flow, dispatching an OTP to the target.
1528
+ * @param target - Either an email address or a phone configuration payload.
1529
+ */
1530
+ resetPasswordRequest(target: {
1531
+ email: string;
1532
+ } | {
1533
+ phone_country_code: string;
1534
+ phone_number: string;
1535
+ }): Promise<{
1536
+ message: string;
1537
+ }>;
1538
+ /**
1539
+ * Confirm a password reset using the OTP dispatched by `resetPasswordRequest`.
1540
+ * @param data - The OTP code and the new matching password fields.
1541
+ */
1542
+ resetPasswordConfirm(data: {
1543
+ email?: string;
1544
+ phone_country_code?: string;
1545
+ phone_number?: string;
1546
+ otp_code: string;
1547
+ new_password: string;
1548
+ confirm_password: string;
1549
+ }): Promise<{
1550
+ message: string;
1551
+ }>;
1552
+ /**
1553
+ * Change password for an already authenticated user.
1554
+ * @param currentPassword - The existing password to verify intent.
1555
+ * @param newPassword - The distinct new password.
1556
+ */
1557
+ changePassword(currentPassword: string, newPassword: string): Promise<{
1558
+ message: string;
1559
+ }>;
1560
+ /**
1561
+ * Evaluate the strength of a potential password against backend policies.
1562
+ * @param password - The password string to test.
1563
+ * @param email - (Optional) The user's email to ensure the password doesn't contain it.
1564
+ */
1565
+ checkPasswordStrength(password: string, email?: string): Promise<{
1566
+ score: number;
1567
+ strength: string;
1568
+ is_valid: boolean;
1569
+ errors: string[];
1570
+ requirements: {
1571
+ min_length: number;
1572
+ require_lowercase: boolean;
1573
+ require_uppercase: boolean;
1574
+ require_numbers: boolean;
1575
+ require_special: boolean;
1576
+ };
1577
+ }>;
1578
+ /**
1579
+ * Fetch the password complexity requirements enforced by the Tenxyte backend.
1580
+ */
1581
+ getPasswordRequirements(): Promise<{
1582
+ requirements: Record<string, boolean | number>;
1583
+ min_length: number;
1584
+ max_length: number;
1585
+ }>;
1586
+ /**
1587
+ * Register a new WebAuthn device (Passkey/Biometrics/Security Key) for the authenticated user.
1588
+ * Integrates transparently with the browser `navigator.credentials` API.
1589
+ * @param deviceName - Optional human-readable name for the device being registered.
1590
+ */
1591
+ registerWebAuthn(deviceName?: string): Promise<{
1592
+ message: string;
1593
+ credential: {
1594
+ id: number;
1595
+ device_name: string;
1596
+ created_at: string;
1597
+ };
1598
+ }>;
1599
+ /**
1600
+ * Authenticate via WebAuthn (Passkey) without requiring a password.
1601
+ * Integrates transparently with the browser `navigator.credentials` API.
1602
+ * @param email - The email address identifying the user account (optional if discoverable credentials are used).
1603
+ * @returns A session token pair and the user context upon successful cryptographic challenge verification.
1604
+ */
1605
+ authenticateWebAuthn(email?: string): Promise<{
1606
+ access: string;
1607
+ refresh: string;
1608
+ user: TenxyteUser;
1609
+ message: string;
1610
+ credential_used: string;
1611
+ }>;
1612
+ /**
1613
+ * List all registered WebAuthn credentials for the active user.
1614
+ */
1615
+ listWebAuthnCredentials(): Promise<{
1616
+ credentials: Array<{
1617
+ id: number;
1618
+ device_name: string;
1619
+ created_at: string;
1620
+ last_used_at: string | null;
1621
+ authenticator_type: string;
1622
+ is_resident_key: boolean;
1623
+ }>;
1624
+ count: number;
1625
+ }>;
1626
+ /**
1627
+ * Delete a specific WebAuthn credential, removing its capability to sign in.
1628
+ * @param credentialId - The internal ID of the credential to delete.
1629
+ */
1630
+ deleteWebAuthnCredential(credentialId: number): Promise<void>;
1631
+ }
1632
+
1633
+ interface Role {
1634
+ id: string;
1635
+ name: string;
1636
+ description?: string;
1637
+ is_default?: boolean;
1638
+ permissions?: string[];
1639
+ }
1640
+ interface Permission {
1641
+ id: string;
1642
+ code: string;
1643
+ name: string;
1644
+ description?: string;
1645
+ }
1646
+ declare class RbacModule {
1647
+ private client;
1648
+ private cachedToken;
1649
+ constructor(client: TenxyteHttpClient);
1650
+ /**
1651
+ * Cache a decoded JWT payload locally to perform parameter-less synchronous permission checks.
1652
+ * Usually invoked automatically by the system upon login or token refresh.
1653
+ * @param token - The raw JWT access token encoded string.
1654
+ */
1655
+ setToken(token: string | null): void;
1656
+ private getDecodedToken;
1657
+ /**
1658
+ * Synchronously deeply inspects the cached (or provided) JWT to determine if the user has a specific Role.
1659
+ * @param role - The exact code name of the Role.
1660
+ * @param token - (Optional) Provide a specific token overriding the cached one.
1661
+ */
1662
+ hasRole(role: string, token?: string): boolean;
1663
+ /**
1664
+ * Evaluates if the active session holds AT LEAST ONE of the listed Roles.
1665
+ * @param roles - An array of Role codes.
1666
+ */
1667
+ hasAnyRole(roles: string[], token?: string): boolean;
1668
+ /**
1669
+ * Evaluates if the active session holds ALL of the listed Roles concurrently.
1670
+ * @param roles - An array of Role codes.
1671
+ */
1672
+ hasAllRoles(roles: string[], token?: string): boolean;
1673
+ /**
1674
+ * Synchronously deeply inspects the cached (or provided) JWT to determine if the user has a specific granular Permission.
1675
+ * @param permission - The exact code name of the Permission (e.g., 'invoices.read').
1676
+ */
1677
+ hasPermission(permission: string, token?: string): boolean;
1678
+ /**
1679
+ * Evaluates if the active session holds AT LEAST ONE of the listed Permissions.
1680
+ */
1681
+ hasAnyPermission(permissions: string[], token?: string): boolean;
1682
+ /**
1683
+ * Evaluates if the active session holds ALL of the listed Permissions concurrently.
1684
+ */
1685
+ hasAllPermissions(permissions: string[], token?: string): boolean;
1686
+ /** Fetch all application global Roles structure */
1687
+ listRoles(): Promise<Role[]>;
1688
+ /** Create a new architectural Role inside Tenxyte */
1689
+ createRole(data: {
1690
+ name: string;
1691
+ description?: string;
1692
+ permission_codes?: string[];
1693
+ is_default?: boolean;
1694
+ }): Promise<Role>;
1695
+ /** Get detailed metadata defining a single bounded Role */
1696
+ getRole(roleId: string): Promise<Role>;
1697
+ /** Modify properties bounding a Role */
1698
+ updateRole(roleId: string, data: {
1699
+ name?: string;
1700
+ description?: string;
1701
+ permission_codes?: string[];
1702
+ is_default?: boolean;
1703
+ }): Promise<Role>;
1704
+ /** Unbind and destruct a Role from the global Tenant. (Dangerous, implies cascading permission unbindings) */
1705
+ deleteRole(roleId: string): Promise<void>;
1706
+ getRolePermissions(roleId: string): Promise<Permission[]>;
1707
+ addPermissionsToRole(roleId: string, permission_codes: string[]): Promise<void>;
1708
+ removePermissionsFromRole(roleId: string, permission_codes: string[]): Promise<void>;
1709
+ /** Enumerates all available fine-grained Permissions inside this Tenant scope. */
1710
+ listPermissions(): Promise<Permission[]>;
1711
+ /** Bootstraps a new granular Permission flag (e.g. `billing.refund`). */
1712
+ createPermission(data: {
1713
+ code: string;
1714
+ name: string;
1715
+ description?: string;
1716
+ parent_code?: string;
1717
+ }): Promise<Permission>;
1718
+ /** Retrieves an existing atomic Permission construct. */
1719
+ getPermission(permissionId: string): Promise<Permission>;
1720
+ /** Edits the human readable description or structural dependencies of a Permission. */
1721
+ updatePermission(permissionId: string, data: {
1722
+ name?: string;
1723
+ description?: string;
1724
+ }): Promise<Permission>;
1725
+ /** Destroys an atomic Permission permanently. Any Roles referencing it will be stripped of this grant automatically. */
1726
+ deletePermission(permissionId: string): Promise<void>;
1727
+ /**
1728
+ * Retrieve all roles assigned to a specific user.
1729
+ * @param userId - The target user ID.
1730
+ */
1731
+ getUserRoles(userId: string): Promise<Record<string, unknown>>;
1732
+ /**
1733
+ * Retrieve all permissions directly assigned to a specific user (excluding role-based permissions).
1734
+ * @param userId - The target user ID.
1735
+ */
1736
+ getUserPermissions(userId: string): Promise<Record<string, unknown>>;
1737
+ /**
1738
+ * Attach a given Role globally to a user entity.
1739
+ * Use sparingly if B2B multi-tenancy contexts are preferred.
1740
+ */
1741
+ assignRoleToUser(userId: string, roleCode: string): Promise<void>;
1742
+ /**
1743
+ * Unbind a global Role from a user entity.
1744
+ */
1745
+ removeRoleFromUser(userId: string, roleCode: string): Promise<void>;
1746
+ /**
1747
+ * Ad-Hoc directly attach specific granular Permissions to a single User, bypassing Role boundaries.
1748
+ */
1749
+ assignPermissionsToUser(userId: string, permissionCodes: string[]): Promise<void>;
1750
+ /**
1751
+ * Ad-Hoc strip direct granular Permissions bindings from a specific User.
1752
+ */
1753
+ removePermissionsFromUser(userId: string, permissionCodes: string[]): Promise<void>;
1754
+ }
1755
+
1756
+ interface UpdateProfileParams {
1757
+ first_name?: string;
1758
+ last_name?: string;
1759
+ [key: string]: any;
1760
+ }
1761
+ interface AdminUpdateUserParams {
1762
+ first_name?: string;
1763
+ last_name?: string;
1764
+ is_active?: boolean;
1765
+ is_locked?: boolean;
1766
+ max_sessions?: number;
1767
+ max_devices?: number;
1768
+ }
1769
+ declare class UserModule {
1770
+ private client;
1771
+ constructor(client: TenxyteHttpClient);
1772
+ /** Retrieve your current comprehensive Profile metadata matching the active network bearer token. */
1773
+ getProfile(): Promise<TenxyteUser>;
1774
+ /** Modify your active profile core details or injected application metadata. */
1775
+ updateProfile(data: UpdateProfileParams): Promise<TenxyteUser>;
1776
+ /**
1777
+ * Upload an avatar using FormData.
1778
+ * Ensure the environment supports FormData (browser or Node.js v18+).
1779
+ * @param formData The FormData object containing the 'avatar' field.
1780
+ */
1781
+ uploadAvatar(formData: FormData): Promise<TenxyteUser>;
1782
+ /**
1783
+ * @deprecated Use `gdpr.requestAccountDeletion()` instead. This proxy will be removed in a future release.
1784
+ * Trigger self-deletion of an entire account data boundary.
1785
+ * @param password - Requires the active system password as destructive proof of intent.
1786
+ * @param otpCode - (Optional) If an OTP was queried prior to attempting account deletion.
1787
+ */
1788
+ deleteAccount(password: string, otpCode?: string): Promise<void>;
1789
+ /**
1790
+ * Retrieve the roles and permissions of the currently authenticated user.
1791
+ * @returns An object containing `roles[]` and `permissions[]`.
1792
+ */
1793
+ getMyRoles(): Promise<{
1794
+ roles: any[];
1795
+ permissions: any[];
1796
+ [key: string]: unknown;
1797
+ }>;
1798
+ /** (Admin only) Lists users paginated matching criteria. */
1799
+ listUsers(params?: Record<string, any>): Promise<PaginatedResponse<TenxyteUser>>;
1800
+ /** (Admin only) Gets deterministic data related to a remote unassociated user. */
1801
+ getUser(userId: string): Promise<TenxyteUser>;
1802
+ /** (Admin only) Modifies configuration/details or capacity bounds related to a remote unassociated user. */
1803
+ adminUpdateUser(userId: string, data: AdminUpdateUserParams): Promise<TenxyteUser>;
1804
+ /** (Admin only) Force obliterate a User boundary. Can affect relational database stability if not bound carefully. */
1805
+ adminDeleteUser(userId: string): Promise<void>;
1806
+ /** (Admin only) Apply a permanent suspension / ban state globally on a user token footprint. */
1807
+ banUser(userId: string, reason?: string): Promise<void>;
1808
+ /** (Admin only) Recover a user footprint from a global ban state. */
1809
+ unbanUser(userId: string): Promise<void>;
1810
+ /** (Admin only) Apply a temporary lock bounding block on a user interaction footprint. */
1811
+ lockUser(userId: string, durationMinutes?: number, reason?: string): Promise<void>;
1812
+ /** (Admin only) Releases an arbitrary temporary system lock placed on a user bounds. */
1813
+ unlockUser(userId: string): Promise<void>;
1814
+ }
1815
+
1816
+ interface OrgMembership {
1817
+ id: number;
1818
+ user_id: number;
1819
+ email: string;
1820
+ first_name: string;
1821
+ last_name: string;
1822
+ role: {
1823
+ code: string;
1824
+ name: string;
1825
+ };
1826
+ joined_at: string;
1827
+ }
1828
+ interface OrgTreeNode {
1829
+ id: number;
1830
+ name: string;
1831
+ slug: string;
1832
+ children: OrgTreeNode[];
1833
+ }
1834
+ declare class B2bModule {
1835
+ private client;
1836
+ private currentOrgSlug;
1837
+ constructor(client: TenxyteHttpClient);
1838
+ /**
1839
+ * Set the active Organization context.
1840
+ * Subsequent API requests will automatically include the `X-Org-Slug` header.
1841
+ * @param slug - The unique string identifier of the organization.
1842
+ */
1843
+ switchOrganization(slug: string): void;
1844
+ /**
1845
+ * Clear the active Organization context, dropping the `X-Org-Slug` header for standard User operations.
1846
+ */
1847
+ clearOrganization(): void;
1848
+ /** Get the currently active Organization slug context if set. */
1849
+ getCurrentOrganizationSlug(): string | null;
1850
+ /** Create a new top-level or child Organization in the backend. */
1851
+ createOrganization(data: {
1852
+ name: string;
1853
+ slug?: string;
1854
+ description?: string;
1855
+ parent_id?: number;
1856
+ metadata?: Record<string, unknown>;
1857
+ max_members?: number;
1858
+ }): Promise<Organization>;
1859
+ /** List organizations the currently authenticated user belongs to. */
1860
+ listMyOrganizations(params?: {
1861
+ search?: string;
1862
+ is_active?: boolean;
1863
+ parent?: string;
1864
+ ordering?: string;
1865
+ page?: number;
1866
+ page_size?: number;
1867
+ }): Promise<PaginatedResponse<Organization>>;
1868
+ /** Retrieve details about a specific organization by slug. */
1869
+ getOrganization(slug: string): Promise<Organization>;
1870
+ /** Update configuration and metadata of an Organization. */
1871
+ updateOrganization(slug: string, data: Partial<{
1872
+ name: string;
1873
+ slug: string;
1874
+ description: string;
1875
+ parent_id: number | null;
1876
+ metadata: Record<string, unknown>;
1877
+ max_members: number;
1878
+ is_active: boolean;
1879
+ }>): Promise<Organization>;
1880
+ /** Permanently delete an Organization. */
1881
+ deleteOrganization(slug: string): Promise<{
1882
+ message: string;
1883
+ }>;
1884
+ /** Retrieve the topology subtree extending downward from this point. */
1885
+ getOrganizationTree(slug: string): Promise<OrgTreeNode>;
1886
+ /** List users bound to a specific Organization. */
1887
+ listMembers(slug: string, params?: {
1888
+ search?: string;
1889
+ role?: 'owner' | 'admin' | 'member';
1890
+ status?: 'active' | 'inactive' | 'pending';
1891
+ ordering?: string;
1892
+ page?: number;
1893
+ page_size?: number;
1894
+ }): Promise<PaginatedResponse<OrgMembership>>;
1895
+ /** Add a user directly into an Organization with a designated role. */
1896
+ addMember(slug: string, data: {
1897
+ user_id: number;
1898
+ role_code: string;
1899
+ }): Promise<OrgMembership>;
1900
+ /** Evolve or demote an existing member's role within the Organization. */
1901
+ updateMemberRole(slug: string, userId: number, roleCode: string): Promise<OrgMembership>;
1902
+ /** Kick a user out of the Organization. */
1903
+ removeMember(slug: string, userId: number): Promise<{
1904
+ message: string;
1905
+ }>;
1906
+ /** Send an onboarding email invitation to join an Organization. */
1907
+ inviteMember(slug: string, data: {
1908
+ email: string;
1909
+ role_code: string;
1910
+ expires_in_days?: number;
1911
+ }): Promise<{
1912
+ id: number;
1913
+ email: string;
1914
+ role: string;
1915
+ token: string;
1916
+ expires_at: string;
1917
+ invited_by: {
1918
+ id: number;
1919
+ email: string;
1920
+ };
1921
+ organization: {
1922
+ id: number;
1923
+ name: string;
1924
+ slug: string;
1925
+ };
1926
+ }>;
1927
+ /** Fetch a definition matrix of what Organization-level roles can be assigned. */
1928
+ listOrgRoles(): Promise<Array<{
1929
+ code: string;
1930
+ name: string;
1931
+ description: string;
1932
+ weight: number;
1933
+ permissions: Array<{
1934
+ code: string;
1935
+ name: string;
1936
+ description: string;
1937
+ }>;
1938
+ is_system_role: boolean;
1939
+ created_at: string;
1940
+ }>>;
1941
+ }
1942
+
1943
+ declare class AiModule {
1944
+ private client;
1945
+ private agentToken;
1946
+ private traceId;
1947
+ private logger?;
1948
+ constructor(client: TenxyteHttpClient, logger?: TenxyteLogger);
1949
+ /**
1950
+ * Create an AgentToken granting specific deterministic limits to an AI Agent.
1951
+ */
1952
+ createAgentToken(data: {
1953
+ agent_id: string;
1954
+ permissions?: string[];
1955
+ expires_in?: number;
1956
+ organization?: string;
1957
+ budget_limit_usd?: number;
1958
+ circuit_breaker?: {
1959
+ max_requests?: number;
1960
+ window_seconds?: number;
1961
+ };
1962
+ dead_mans_switch?: {
1963
+ heartbeat_required_every?: number;
1964
+ };
1965
+ }): Promise<{
1966
+ id: number;
1967
+ token: string;
1968
+ agent_id: string;
1969
+ status: string;
1970
+ expires_at: string;
1971
+ }>;
1972
+ /**
1973
+ * Set the SDK to operate on behalf of an Agent using the generated Agent Token payload.
1974
+ * Overrides standard `Authorization` headers with `AgentBearer`.
1975
+ */
1976
+ setAgentToken(token: string): void;
1977
+ /** Disables the active Agent override and reverts to standard User session requests. */
1978
+ clearAgentToken(): void;
1979
+ /** Check if the SDK is currently mocking requests as an AI Agent. */
1980
+ isAgentMode(): boolean;
1981
+ /** List previously provisioned active Agent tokens. */
1982
+ listAgentTokens(): Promise<AgentTokenSummary[]>;
1983
+ /** Fetch the status and configuration of a specific AgentToken. */
1984
+ getAgentToken(tokenId: number): Promise<AgentTokenSummary>;
1985
+ /** Irreversibly revoke a targeted AgentToken from acting upon the Tenant. */
1986
+ revokeAgentToken(tokenId: number): Promise<{
1987
+ status: 'revoked';
1988
+ }>;
1989
+ /** Temporarily freeze an AgentToken by forcibly closing its Circuit Breaker. */
1990
+ suspendAgentToken(tokenId: number): Promise<{
1991
+ status: 'suspended';
1992
+ }>;
1993
+ /** Emergency kill-switch to wipe all operational Agent Tokens. */
1994
+ revokeAllAgentTokens(): Promise<{
1995
+ status: 'revoked';
1996
+ count: number;
1997
+ }>;
1998
+ /** Satisfy an Agent's Dead-Man's switch heartbeat requirement to prevent suspension. */
1999
+ sendHeartbeat(tokenId: number): Promise<{
2000
+ status: 'ok';
2001
+ }>;
2002
+ /** List intercepted HTTP 202 actions waiting for Human interaction / approval. */
2003
+ listPendingActions(): Promise<AgentPendingAction[]>;
2004
+ /** Complete a pending HITL authorization to finally flush the Agent action to backend systems. */
2005
+ confirmPendingAction(confirmationToken: string): Promise<{
2006
+ status: 'confirmed';
2007
+ }>;
2008
+ /** Block an Agent action permanently. */
2009
+ denyPendingAction(confirmationToken: string): Promise<{
2010
+ status: 'denied';
2011
+ }>;
2012
+ /** Start piping the `X-Prompt-Trace-ID` custom header outwards for tracing logs against LLM inputs. */
2013
+ setTraceId(traceId: string): void;
2014
+ /** Disable trace forwarding context. */
2015
+ clearTraceId(): void;
2016
+ /**
2017
+ * Report consumption costs associated with a backend invocation back to Tenxyte for strict circuit budgeting.
2018
+ * @param tokenId - AgentToken evaluating ID.
2019
+ * @param usage - Sunk token costs or explicit USD derivations.
2020
+ */
2021
+ reportUsage(tokenId: number, usage: {
2022
+ cost_usd: number;
2023
+ prompt_tokens: number;
2024
+ completion_tokens: number;
2025
+ }): Promise<{
2026
+ status: 'ok';
2027
+ } | {
2028
+ error: 'Budget exceeded';
2029
+ status: 'suspended';
2030
+ }>;
2031
+ }
2032
+
2033
+ /**
2034
+ * Represents an application (API client) registered in the Tenxyte platform.
2035
+ * The `access_secret` is never returned after creation — only `access_key` is visible.
2036
+ */
2037
+ interface Application {
2038
+ id: string;
2039
+ name: string;
2040
+ description?: string;
2041
+ access_key: string;
2042
+ is_active: boolean;
2043
+ created_at: string;
2044
+ updated_at: string;
2045
+ }
2046
+ /**
2047
+ * Parameters accepted by `listApplications()`.
2048
+ */
2049
+ interface ApplicationListParams {
2050
+ /** Search within name and description. */
2051
+ search?: string;
2052
+ /** Filter by active status. */
2053
+ is_active?: boolean;
2054
+ /** Sort field: `name`, `is_active`, `created_at`, `updated_at`. */
2055
+ ordering?: string;
2056
+ /** Page number (1-indexed). */
2057
+ page?: number;
2058
+ /** Items per page (max 100). */
2059
+ page_size?: number;
2060
+ }
2061
+ /**
2062
+ * Body accepted by `createApplication()`.
2063
+ */
2064
+ interface ApplicationCreateData {
2065
+ name: string;
2066
+ description?: string;
2067
+ }
2068
+ /**
2069
+ * Response returned by `createApplication()`.
2070
+ * **`client_secret` is only shown once at creation time.**
2071
+ */
2072
+ interface ApplicationCreateResponse {
2073
+ id: number;
2074
+ name: string;
2075
+ description?: string;
2076
+ client_id: string;
2077
+ client_secret: string;
2078
+ is_active: boolean;
2079
+ created_at: string;
2080
+ secret_rotation_warning?: string;
2081
+ }
2082
+ /**
2083
+ * Body accepted by `updateApplication()` (PUT — full replace).
2084
+ */
2085
+ interface ApplicationUpdateData {
2086
+ name?: string;
2087
+ description?: string;
2088
+ is_active?: boolean;
2089
+ }
2090
+ /**
2091
+ * Response returned by `regenerateCredentials()`.
2092
+ * **`credentials.access_secret` is only shown once.**
2093
+ */
2094
+ interface ApplicationRegenerateResponse {
2095
+ message?: string;
2096
+ application?: Record<string, unknown>;
2097
+ credentials?: {
2098
+ access_key?: string;
2099
+ access_secret?: string;
2100
+ };
2101
+ warning?: string;
2102
+ old_credentials_invalidated?: boolean;
2103
+ }
2104
+ declare class ApplicationsModule {
2105
+ private client;
2106
+ constructor(client: TenxyteHttpClient);
2107
+ /**
2108
+ * List all registered applications (paginated).
2109
+ * @param params - Optional filters: `search`, `is_active`, `ordering`, `page`, `page_size`.
2110
+ * @returns A paginated list of applications.
2111
+ */
2112
+ listApplications(params?: ApplicationListParams): Promise<PaginatedResponse<Application>>;
2113
+ /**
2114
+ * Create a new application.
2115
+ * @param data - The application name and optional description.
2116
+ * @returns The created application including one-time `client_secret`.
2117
+ */
2118
+ createApplication(data: ApplicationCreateData): Promise<ApplicationCreateResponse>;
2119
+ /**
2120
+ * Get a single application by its ID.
2121
+ * @param appId - The application ID.
2122
+ * @returns The application details (secret is never included).
2123
+ */
2124
+ getApplication(appId: string): Promise<Application>;
2125
+ /**
2126
+ * Fully update an application (PUT — all fields replaced).
2127
+ * @param appId - The application ID.
2128
+ * @param data - The full updated application data.
2129
+ * @returns The updated application.
2130
+ */
2131
+ updateApplication(appId: string, data: ApplicationUpdateData): Promise<Application>;
2132
+ /**
2133
+ * Partially update an application (PATCH — only provided fields are changed).
2134
+ * @param appId - The application ID.
2135
+ * @param data - The fields to update.
2136
+ * @returns The updated application.
2137
+ */
2138
+ patchApplication(appId: string, data: Partial<ApplicationUpdateData>): Promise<Application>;
2139
+ /**
2140
+ * Delete an application permanently.
2141
+ * @param appId - The application ID.
2142
+ */
2143
+ deleteApplication(appId: string): Promise<void>;
2144
+ /**
2145
+ * Regenerate credentials for an application.
2146
+ * **Warning:** Old credentials are immediately invalidated. The new secret is shown only once.
2147
+ * @param appId - The application ID.
2148
+ * @param confirmation - Must be the string `"REGENERATE"` to confirm the irreversible action.
2149
+ * @returns The new credentials (access_key + access_secret shown once).
2150
+ */
2151
+ regenerateCredentials(appId: string, confirmation?: string): Promise<ApplicationRegenerateResponse>;
2152
+ }
2153
+
2154
+ /**
2155
+ * All possible audit log action types.
2156
+ */
2157
+ type AuditAction = 'login' | 'login_failed' | 'logout' | 'logout_all' | 'token_refresh' | 'password_change' | 'password_reset_request' | 'password_reset_complete' | '2fa_enabled' | '2fa_disabled' | '2fa_backup_used' | 'account_created' | 'account_locked' | 'account_unlocked' | 'email_verified' | 'phone_verified' | 'role_assigned' | 'role_removed' | 'permission_changed' | 'app_created' | 'app_credentials_regenerated' | 'account_deleted' | 'suspicious_activity' | 'session_limit_exceeded' | 'device_limit_exceeded' | 'new_device_detected' | 'agent_action';
2158
+ /** An audit log entry. */
2159
+ interface AuditLog {
2160
+ id: string;
2161
+ user?: number | null;
2162
+ user_email: string;
2163
+ action: AuditAction;
2164
+ ip_address?: string | null;
2165
+ user_agent?: string;
2166
+ application?: number | null;
2167
+ application_name: string;
2168
+ details?: unknown;
2169
+ created_at: string;
2170
+ }
2171
+ /** A login attempt record. */
2172
+ interface LoginAttempt {
2173
+ id: string;
2174
+ identifier: string;
2175
+ ip_address: string;
2176
+ application?: number | null;
2177
+ success?: boolean;
2178
+ failure_reason?: string;
2179
+ created_at: string;
2180
+ }
2181
+ /** A blacklisted (revoked) JWT token. */
2182
+ interface BlacklistedToken {
2183
+ id: string;
2184
+ token_jti: string;
2185
+ user?: number | null;
2186
+ user_email: string;
2187
+ blacklisted_at: string;
2188
+ expires_at: string;
2189
+ reason?: string;
2190
+ is_expired: string;
2191
+ }
2192
+ /** A refresh token as seen from the admin view (token value hidden). */
2193
+ interface RefreshTokenInfo {
2194
+ id: string;
2195
+ user: number;
2196
+ user_email: string;
2197
+ application: number;
2198
+ application_name: string;
2199
+ device_info?: string;
2200
+ ip_address?: string | null;
2201
+ is_revoked?: boolean;
2202
+ is_expired: string;
2203
+ expires_at: string;
2204
+ created_at: string;
2205
+ last_used_at: string;
2206
+ }
2207
+ /** Parameters accepted by `listAuditLogs()`. */
2208
+ interface AuditLogListParams {
2209
+ /** Filter by user ID. */
2210
+ user_id?: string;
2211
+ /** Filter by action (login, login_failed, password_change, etc.). */
2212
+ action?: string;
2213
+ /** Filter by IP address. */
2214
+ ip_address?: string;
2215
+ /** Filter by application ID. */
2216
+ application_id?: string;
2217
+ /** After date (YYYY-MM-DD). */
2218
+ date_from?: string;
2219
+ /** Before date (YYYY-MM-DD). */
2220
+ date_to?: string;
2221
+ /** Sort field: `created_at`, `action`, `user`. */
2222
+ ordering?: string;
2223
+ /** Page number (1-indexed). */
2224
+ page?: number;
2225
+ /** Items per page (max 100). */
2226
+ page_size?: number;
2227
+ }
2228
+ /** Parameters accepted by `listLoginAttempts()`. */
2229
+ interface LoginAttemptListParams {
2230
+ /** Filter by identifier (email/phone). */
2231
+ identifier?: string;
2232
+ /** Filter by IP address. */
2233
+ ip_address?: string;
2234
+ /** Filter by success/failure. */
2235
+ success?: boolean;
2236
+ /** After date (YYYY-MM-DD). */
2237
+ date_from?: string;
2238
+ /** Before date (YYYY-MM-DD). */
2239
+ date_to?: string;
2240
+ /** Sort field: `created_at`, `identifier`, `ip_address`. */
2241
+ ordering?: string;
2242
+ /** Page number (1-indexed). */
2243
+ page?: number;
2244
+ /** Items per page (max 100). */
2245
+ page_size?: number;
2246
+ }
2247
+ /** Parameters accepted by `listBlacklistedTokens()`. */
2248
+ interface BlacklistedTokenListParams {
2249
+ /** Filter by user ID. */
2250
+ user_id?: string;
2251
+ /** Filter by reason (`logout`, `password_change`, `security`). */
2252
+ reason?: string;
2253
+ /** Filter by expired (true/false). */
2254
+ expired?: boolean;
2255
+ /** Sort field: `blacklisted_at`, `expires_at`. */
2256
+ ordering?: string;
2257
+ /** Page number (1-indexed). */
2258
+ page?: number;
2259
+ /** Items per page (max 100). */
2260
+ page_size?: number;
2261
+ }
2262
+ /** Parameters accepted by `listRefreshTokens()`. */
2263
+ interface RefreshTokenListParams {
2264
+ /** Filter by user ID. */
2265
+ user_id?: string;
2266
+ /** Filter by application ID. */
2267
+ application_id?: string;
2268
+ /** Filter by revoked status. */
2269
+ is_revoked?: boolean;
2270
+ /** Filter by expired status. */
2271
+ expired?: boolean;
2272
+ /** Sort field: `created_at`, `expires_at`, `last_used_at`. */
2273
+ ordering?: string;
2274
+ /** Page number (1-indexed). */
2275
+ page?: number;
2276
+ /** Items per page (max 100). */
2277
+ page_size?: number;
2278
+ }
2279
+ declare class AdminModule {
2280
+ private client;
2281
+ constructor(client: TenxyteHttpClient);
2282
+ /**
2283
+ * List audit log entries (paginated).
2284
+ * @param params - Optional filters and pagination.
2285
+ */
2286
+ listAuditLogs(params?: AuditLogListParams): Promise<PaginatedResponse<AuditLog>>;
2287
+ /**
2288
+ * Get a single audit log entry by ID.
2289
+ * @param logId - The audit log entry ID.
2290
+ */
2291
+ getAuditLog(logId: string): Promise<AuditLog>;
2292
+ /**
2293
+ * List login attempt records (paginated).
2294
+ * @param params - Optional filters and pagination.
2295
+ */
2296
+ listLoginAttempts(params?: LoginAttemptListParams): Promise<PaginatedResponse<LoginAttempt>>;
2297
+ /**
2298
+ * List blacklisted (revoked) JWT tokens (paginated).
2299
+ * @param params - Optional filters and pagination.
2300
+ */
2301
+ listBlacklistedTokens(params?: BlacklistedTokenListParams): Promise<PaginatedResponse<BlacklistedToken>>;
2302
+ /**
2303
+ * Remove expired blacklisted tokens.
2304
+ * @returns A summary object with cleanup results.
2305
+ */
2306
+ cleanupBlacklistedTokens(): Promise<Record<string, unknown>>;
2307
+ /**
2308
+ * List refresh tokens (admin view — token values are hidden).
2309
+ * @param params - Optional filters and pagination.
2310
+ */
2311
+ listRefreshTokens(params?: RefreshTokenListParams): Promise<PaginatedResponse<RefreshTokenInfo>>;
2312
+ /**
2313
+ * Revoke a specific refresh token.
2314
+ * @param tokenId - The refresh token ID.
2315
+ * @returns The updated refresh token record.
2316
+ */
2317
+ revokeRefreshToken(tokenId: string): Promise<RefreshTokenInfo>;
2318
+ }
2319
+
2320
+ /** Body accepted by `requestAccountDeletion()`. */
2321
+ interface AccountDeletionRequestData {
2322
+ /** Current password (required for confirmation). */
2323
+ password: string;
2324
+ /** 6-digit OTP code (required if 2FA is enabled). */
2325
+ otp_code?: string;
2326
+ /** Optional reason for the deletion request. */
2327
+ reason?: string;
2328
+ }
2329
+ /** Response returned by `requestAccountDeletion()`. */
2330
+ interface AccountDeletionRequestResponse {
2331
+ message?: string;
2332
+ deletion_request_id?: number;
2333
+ scheduled_deletion_date?: string;
2334
+ grace_period_days?: number;
2335
+ cancellation_token?: string;
2336
+ data_retention_policy?: {
2337
+ anonymization_after?: string;
2338
+ final_deletion_after?: string;
2339
+ };
2340
+ }
2341
+ /** Response returned by `confirmAccountDeletion()`. */
2342
+ interface AccountDeletionConfirmResponse {
2343
+ message?: string;
2344
+ deletion_confirmed?: boolean;
2345
+ grace_period_ends?: string;
2346
+ cancellation_instructions?: string;
2347
+ }
2348
+ /** Response returned by `cancelAccountDeletion()`. */
2349
+ interface AccountDeletionCancelResponse {
2350
+ message?: string;
2351
+ deletion_cancelled?: boolean;
2352
+ account_reactivated?: boolean;
2353
+ cancellation_time?: string;
2354
+ security_note?: string;
2355
+ }
2356
+ /**
2357
+ * Deletion status for the current user.
2358
+ * The shape is not strictly defined by the API schema — it returns a generic object.
2359
+ */
2360
+ type DeletionStatus = Record<string, unknown>;
2361
+ /** Response returned by `exportUserData()`. */
2362
+ interface UserDataExport {
2363
+ user_info?: Record<string, unknown>;
2364
+ roles?: unknown[];
2365
+ permissions?: unknown[];
2366
+ applications?: unknown[];
2367
+ audit_logs?: unknown[];
2368
+ export_metadata?: Record<string, unknown>;
2369
+ }
2370
+ /** Possible statuses for a deletion request. */
2371
+ type DeletionRequestStatus = 'pending' | 'confirmation_sent' | 'confirmed' | 'completed' | 'cancelled';
2372
+ /** A GDPR account deletion request (admin view). */
2373
+ interface DeletionRequest {
2374
+ id: string;
2375
+ user: number;
2376
+ user_email: string;
2377
+ status?: DeletionRequestStatus;
2378
+ requested_at: string;
2379
+ confirmed_at?: string | null;
2380
+ grace_period_ends_at?: string | null;
2381
+ completed_at?: string | null;
2382
+ ip_address?: string | null;
2383
+ reason?: string;
2384
+ admin_notes?: string;
2385
+ processed_by?: number | null;
2386
+ processed_by_email: string;
2387
+ is_grace_period_expired: string;
2388
+ }
2389
+ /** Parameters accepted by `listDeletionRequests()`. */
2390
+ interface DeletionRequestListParams {
2391
+ /** Filter by user ID. */
2392
+ user_id?: number;
2393
+ /** Filter by request status. */
2394
+ status?: DeletionRequestStatus;
2395
+ /** After date (YYYY-MM-DD). */
2396
+ date_from?: string;
2397
+ /** Before date (YYYY-MM-DD). */
2398
+ date_to?: string;
2399
+ /** Filter requests whose grace period expires within 7 days. */
2400
+ grace_period_expiring?: boolean;
2401
+ /** Sort field: `requested_at`, `confirmed_at`, `grace_period_ends_at`, `user__email`. */
2402
+ ordering?: string;
2403
+ /** Page number (1-indexed). */
2404
+ page?: number;
2405
+ /** Items per page (max 100). */
2406
+ page_size?: number;
2407
+ }
2408
+ /** Body accepted by `processDeletionRequest()`. */
2409
+ interface ProcessDeletionRequestData {
2410
+ /** Must be `"PERMANENTLY DELETE"` to confirm the irreversible action. */
2411
+ confirmation: string;
2412
+ /** Optional admin notes. */
2413
+ admin_notes?: string;
2414
+ }
2415
+ /** Response returned by `processDeletionRequest()`. */
2416
+ interface ProcessDeletionResponse {
2417
+ message?: string;
2418
+ deletion_completed?: boolean;
2419
+ processed_at?: string;
2420
+ data_anonymized?: boolean;
2421
+ audit_log_id?: number;
2422
+ user_notified?: boolean;
2423
+ }
2424
+ /** Response returned by `processExpiredDeletions()`. */
2425
+ interface ProcessExpiredDeletionsResponse {
2426
+ message?: string;
2427
+ processed_count?: number;
2428
+ failed_count?: number;
2429
+ skipped_count?: number;
2430
+ processing_time?: number;
2431
+ details?: {
2432
+ request_id?: number;
2433
+ user_email?: string;
2434
+ status?: string;
2435
+ grace_period_expired?: string;
2436
+ }[];
2437
+ }
2438
+ declare class GdprModule {
2439
+ private client;
2440
+ constructor(client: TenxyteHttpClient);
2441
+ /**
2442
+ * Request account deletion (GDPR-compliant).
2443
+ * Initiates a 30-day grace period during which the user can cancel.
2444
+ * @param data - Password (+ optional OTP code and reason).
2445
+ */
2446
+ requestAccountDeletion(data: AccountDeletionRequestData): Promise<AccountDeletionRequestResponse>;
2447
+ /**
2448
+ * Confirm the account deletion using the token received by email.
2449
+ * The token is valid for 24 hours. After confirmation the account enters the 30-day grace period.
2450
+ * @param token - The confirmation token from the email.
2451
+ */
2452
+ confirmAccountDeletion(token: string): Promise<AccountDeletionConfirmResponse>;
2453
+ /**
2454
+ * Cancel a pending account deletion during the grace period.
2455
+ * The account is immediately reactivated.
2456
+ * @param password - The current password for security.
2457
+ */
2458
+ cancelAccountDeletion(password: string): Promise<AccountDeletionCancelResponse>;
2459
+ /**
2460
+ * Get the deletion status for the current user.
2461
+ * Includes pending, confirmed, or cancelled requests.
2462
+ */
2463
+ getAccountDeletionStatus(): Promise<DeletionStatus>;
2464
+ /**
2465
+ * Export all personal data (GDPR right to data portability).
2466
+ * @param password - The current password for security.
2467
+ */
2468
+ exportUserData(password: string): Promise<UserDataExport>;
2469
+ /**
2470
+ * List deletion requests (admin, paginated).
2471
+ * @param params - Optional filters and pagination.
2472
+ */
2473
+ listDeletionRequests(params?: DeletionRequestListParams): Promise<PaginatedResponse<DeletionRequest>>;
2474
+ /**
2475
+ * Get a single deletion request by ID.
2476
+ * @param requestId - The deletion request ID.
2477
+ */
2478
+ getDeletionRequest(requestId: string): Promise<DeletionRequest>;
2479
+ /**
2480
+ * Process (execute) a confirmed deletion request.
2481
+ * **WARNING:** This is irreversible and permanently destroys all user data.
2482
+ * @param requestId - The deletion request ID.
2483
+ * @param data - Must include `{ confirmation: "PERMANENTLY DELETE" }`.
2484
+ */
2485
+ processDeletionRequest(requestId: string | number, data: ProcessDeletionRequestData): Promise<ProcessDeletionResponse>;
2486
+ /**
2487
+ * Batch-process all confirmed deletion requests whose 30-day grace period has expired.
2488
+ * Typically run by a daily cron job.
2489
+ */
2490
+ processExpiredDeletions(): Promise<ProcessExpiredDeletionsResponse>;
2491
+ }
2492
+
2493
+ /** Parameters accepted by `getStats()`. */
2494
+ interface DashboardStatsParams {
2495
+ /** Analysis period (default: `"7d"`). */
2496
+ period?: '7d' | '30d' | '90d';
2497
+ /** Include comparison with previous period. */
2498
+ compare?: boolean;
2499
+ }
2500
+ /** Global dashboard statistics returned by `getStats()`. */
2501
+ interface DashboardStats {
2502
+ summary?: {
2503
+ total_users?: number;
2504
+ active_users?: number;
2505
+ total_organizations?: number;
2506
+ total_applications?: number;
2507
+ active_sessions?: number;
2508
+ pending_deletions?: number;
2509
+ };
2510
+ trends?: {
2511
+ user_growth?: number;
2512
+ login_success_rate?: number;
2513
+ application_usage?: number;
2514
+ security_incidents?: number;
2515
+ };
2516
+ organization_context?: {
2517
+ current_org?: Record<string, unknown> | null;
2518
+ user_role?: string;
2519
+ accessible_orgs?: number;
2520
+ org_specific_stats?: Record<string, unknown>;
2521
+ };
2522
+ quick_actions?: {
2523
+ action?: string;
2524
+ count?: number;
2525
+ priority?: string;
2526
+ }[];
2527
+ charts?: {
2528
+ daily_logins?: unknown[];
2529
+ user_registrations?: unknown[];
2530
+ security_events?: unknown[];
2531
+ };
2532
+ }
2533
+ /**
2534
+ * Authentication statistics returned by `getAuthStats()`.
2535
+ * Login stats, methods, registrations, tokens, top failure reasons, 7-day graphs.
2536
+ */
2537
+ type AuthStats = Record<string, unknown>;
2538
+ /**
2539
+ * Security statistics returned by `getSecurityStats()`.
2540
+ * Audit summary, blacklisted tokens, suspicious activity, 2FA adoption.
2541
+ */
2542
+ type SecurityStats = Record<string, unknown>;
2543
+ /**
2544
+ * GDPR statistics returned by `getGdprStats()`.
2545
+ * Deletion requests by status, data exports.
2546
+ */
2547
+ type GdprStats = Record<string, unknown>;
2548
+ /**
2549
+ * Organization statistics returned by `getOrganizationStats()`.
2550
+ * Organizations, members, roles, top organizations.
2551
+ */
2552
+ type OrgStats = Record<string, unknown>;
2553
+ declare class DashboardModule {
2554
+ private client;
2555
+ constructor(client: TenxyteHttpClient);
2556
+ /**
2557
+ * Get global cross-module dashboard statistics.
2558
+ * Data varies based on the organizational context (`X-Org-Slug`) and permissions.
2559
+ * Covers users, authentication, applications, security, and GDPR metrics.
2560
+ * Charts span the last 7 days with previous-period comparisons.
2561
+ * @param params - Optional period and comparison flag.
2562
+ */
2563
+ getStats(params?: DashboardStatsParams): Promise<DashboardStats>;
2564
+ /**
2565
+ * Get authentication-specific statistics.
2566
+ * Includes login stats, methods breakdown, registrations, tokens, top failure reasons, and 7-day graphs.
2567
+ */
2568
+ getAuthStats(): Promise<AuthStats>;
2569
+ /**
2570
+ * Get security-specific statistics.
2571
+ * Includes audit summary, blacklisted tokens, suspicious activity, and 2FA adoption.
2572
+ */
2573
+ getSecurityStats(): Promise<SecurityStats>;
2574
+ /**
2575
+ * Get GDPR-specific statistics.
2576
+ * Includes deletion requests by status and data export metrics.
2577
+ */
2578
+ getGdprStats(): Promise<GdprStats>;
2579
+ /**
2580
+ * Get organization-specific statistics.
2581
+ * Includes organizations, members, roles, and top organizations.
2582
+ */
2583
+ getOrganizationStats(): Promise<OrgStats>;
2584
+ }
2585
+
2586
+ interface DecodedTenxyteToken {
2587
+ exp?: number;
2588
+ iat?: number;
2589
+ sub?: string;
2590
+ roles?: string[];
2591
+ permissions?: string[];
2592
+ [key: string]: any;
2593
+ }
2594
+ /**
2595
+ * Decodes the payload of a JWT without verifying the signature.
2596
+ * Suitable for client-side routing and UI state.
2597
+ */
2598
+ declare function decodeJwt(token: string): DecodedTenxyteToken | null;
2599
+
2600
+ /**
2601
+ * Map of all SDK events and their associated payload types.
2602
+ */
2603
+ interface TenxyteEventMap {
2604
+ /** Fired when the active session can no longer be recovered (refresh token expired/revoked). */
2605
+ 'session:expired': void;
2606
+ /** Fired after a successful silent token refresh. Payload is the new access token. */
2607
+ 'token:refreshed': {
2608
+ accessToken: string;
2609
+ };
2610
+ /** Fired after tokens are persisted to storage (login, register, refresh). */
2611
+ 'token:stored': {
2612
+ accessToken: string;
2613
+ refreshToken?: string;
2614
+ };
2615
+ /** Fired when an AI agent action requires human-in-the-loop approval (HTTP 202). */
2616
+ 'agent:awaiting_approval': {
2617
+ action: unknown;
2618
+ };
2619
+ /** Fired on unrecoverable SDK errors that are not tied to a specific call. */
2620
+ 'error': {
2621
+ error: unknown;
2622
+ };
2623
+ }
2624
+ /**
2625
+ * The primary entry point for the Tenxyte SDK.
2626
+ * Groups together logic for authentication, security, organization switching, and AI control.
2627
+ */
2628
+ declare class TenxyteClient {
2629
+ /** Fully resolved configuration (all defaults applied). */
2630
+ readonly config: ResolvedTenxyteConfig;
2631
+ /** Persistent token storage back-end (defaults to MemoryStorage). */
2632
+ readonly storage: TenxyteStorage;
2633
+ /** Shared mutable context used by interceptors (org slug, agent trace ID). */
2634
+ readonly context: TenxyteContext;
2635
+ /** The core HTTP wrapper handling network interception and parsing */
2636
+ http: TenxyteHttpClient;
2637
+ /** Authentication module (Login, Signup, Magic link, session handling) */
2638
+ auth: AuthModule;
2639
+ /** Security module (2FA, WebAuthn, Passwords, OTPs) */
2640
+ security: SecurityModule;
2641
+ /** Role-Based Access Control and permission checking module */
2642
+ rbac: RbacModule;
2643
+ /** Connected user's profile and management module */
2644
+ user: UserModule;
2645
+ /** Business-to-Business organizations module (multi-tenant environments) */
2646
+ b2b: B2bModule;
2647
+ /** AIRS - AI Responsibility & Security module (Agent tokens, Circuit breakers, HITL) */
2648
+ ai: AiModule;
2649
+ /** Applications module (API client CRUD, credential management) */
2650
+ applications: ApplicationsModule;
2651
+ /** Admin module (audit logs, login attempts, blacklisted tokens, refresh tokens) */
2652
+ admin: AdminModule;
2653
+ /** GDPR module (account deletion, data export, deletion request management) */
2654
+ gdpr: GdprModule;
2655
+ /** Dashboard module (global, auth, security, GDPR, organization statistics) */
2656
+ dashboard: DashboardModule;
2657
+ /** Internal event emitter used via composition. */
2658
+ private emitter;
2659
+ /**
2660
+ * Initializes the SDK with connection details for your Tenxyte-powered API.
2661
+ *
2662
+ * Accepts the full TenxyteClientConfig. Minimal usage with just { baseUrl }
2663
+ * is still supported for backward compatibility.
2664
+ *
2665
+ * @param options Configuration options including `baseUrl` and custom headers like `X-Access-Key`
2666
+ *
2667
+ * @example
2668
+ * ```typescript
2669
+ * const tx = new TenxyteClient({
2670
+ * baseUrl: 'https://api.my-service.com',
2671
+ * headers: { 'X-Access-Key': 'pkg_abc123' }
2672
+ * });
2673
+ * ```
2674
+ */
2675
+ constructor(options: TenxyteClientConfig);
2676
+ /** Subscribe to an SDK event. Returns an unsubscribe function. */
2677
+ on<K extends keyof TenxyteEventMap>(event: K, callback: (payload: TenxyteEventMap[K]) => void): () => void;
2678
+ /** Subscribe to an SDK event exactly once. Returns an unsubscribe function. */
2679
+ once<K extends keyof TenxyteEventMap>(event: K, callback: (payload: TenxyteEventMap[K]) => void): () => void;
2680
+ /** Unsubscribe a previously registered callback from an SDK event. */
2681
+ off<K extends keyof TenxyteEventMap>(event: K, callback: (payload: TenxyteEventMap[K]) => void): void;
2682
+ /** Emit an SDK event (internal use). */
2683
+ emit<K extends keyof TenxyteEventMap>(event: K, payload: TenxyteEventMap[K]): void;
2684
+ /**
2685
+ * Check whether a valid (non-expired) access token exists in storage.
2686
+ * Performs a synchronous JWT expiry check — no network call.
2687
+ */
2688
+ isAuthenticated(): Promise<boolean>;
2689
+ /**
2690
+ * Return the current access token from storage, or `null` if absent.
2691
+ */
2692
+ getAccessToken(): Promise<string | null>;
2693
+ /**
2694
+ * Decode the current access token and return the JWT payload.
2695
+ * Returns `null` if no token is stored or if decoding fails.
2696
+ * No network call is made — this reads from the cached JWT.
2697
+ */
2698
+ getCurrentUser(): Promise<DecodedTenxyteToken | null>;
2699
+ /**
2700
+ * Check whether the stored access token is expired without making a network call.
2701
+ * Returns `true` if expired or if no token is present.
2702
+ */
2703
+ isTokenExpired(): Promise<boolean>;
2704
+ /** Synchronous helper: checks JWT `exp` claim against current time. */
2705
+ private isTokenExpiredSync;
2706
+ /**
2707
+ * Returns a synchronous snapshot of the SDK state.
2708
+ * Designed for consumption by framework wrappers (React, Vue, etc.).
2709
+ * Note: This is async because storage access may be async.
2710
+ */
2711
+ getState(): Promise<TenxyteClientState>;
2712
+ }
2713
+ /**
2714
+ * Snapshot of the SDK state, intended for framework wrappers.
2715
+ *
2716
+ * **Event contract for reactive bindings:**
2717
+ * - `token:stored` → re-read state (login, register, refresh succeeded)
2718
+ * - `token:refreshed` → access token was silently rotated
2719
+ * - `session:expired` → clear authenticated state
2720
+ * - `agent:awaiting_approval` → an AI action needs human confirmation
2721
+ * - `error` → unrecoverable SDK error
2722
+ */
2723
+ interface TenxyteClientState {
2724
+ /** Whether the user has a valid, non-expired access token. */
2725
+ isAuthenticated: boolean;
2726
+ /** Decoded JWT payload of the current access token, or `null`. */
2727
+ user: DecodedTenxyteToken | null;
2728
+ /** Raw access token string, or `null`. */
2729
+ accessToken: string | null;
2730
+ /** Currently active organization slug, or `null`. */
2731
+ activeOrg: string | null;
2732
+ /** Whether the SDK is operating in AI Agent mode. */
2733
+ isAgentMode: boolean;
2734
+ }
2735
+
2736
+ /**
2737
+ * Lightweight EventEmitter for TenxyteClient.
2738
+ * Provides `.on`, `.once`, `.off`, and `.emit`.
2739
+ */
2740
+ declare class EventEmitter<Events extends Record<string, any>> {
2741
+ private events;
2742
+ constructor();
2743
+ /**
2744
+ * Subscribe to an event.
2745
+ * @param event The event name
2746
+ * @param callback The callback function
2747
+ * @returns Unsubscribe function
2748
+ */
2749
+ on<K extends keyof Events>(event: K, callback: (payload: Events[K]) => void): () => void;
2750
+ /**
2751
+ * Unsubscribe from an event.
2752
+ * @param event The event name
2753
+ * @param callback The exact callback function that was passed to .on()
2754
+ */
2755
+ off<K extends keyof Events>(event: K, callback: (payload: Events[K]) => void): void;
2756
+ /**
2757
+ * Subscribe to an event exactly once.
2758
+ */
2759
+ once<K extends keyof Events>(event: K, callback: (payload: Events[K]) => void): () => void;
2760
+ /**
2761
+ * Emit an event internally.
2762
+ */
2763
+ emit<K extends keyof Events>(event: K, payload: Events[K]): void;
2764
+ removeAllListeners(): void;
2765
+ }
2766
+
2767
+ export { type AccountDeletionCancelResponse, type AccountDeletionConfirmResponse, type AccountDeletionRequestData, type AccountDeletionRequestResponse, AdminModule, type AdminUpdateUserParams, type AgentPendingAction, type AgentTokenSummary, AiModule, type Application, type ApplicationCreateData, type ApplicationCreateResponse, type ApplicationListParams, type ApplicationRegenerateResponse, type ApplicationUpdateData, ApplicationsModule, type AuditAction, type AuditLog, type AuditLogListParams, AuthModule, type AuthStats, B2bModule, type BlacklistedToken, type BlacklistedTokenListParams, CookieStorage, type CustomDeviceInfo, DashboardModule, type DashboardStats, type DashboardStatsParams, type DecodedTenxyteToken, type DeletionRequest, type DeletionRequestListParams, type DeletionRequestStatus, type DeletionStatus, EventEmitter, GdprModule, type GdprStats, type GeneratedSchema, type HttpClientOptions, LocalStorage, type LogLevel, type LoginAttempt, type LoginAttemptListParams, type LoginEmailOptions, type LoginPhoneOptions, type MagicLinkRequest, type MagicLinkResponse, MemoryStorage, NOOP_LOGGER, type OrgMembership, type OrgStats, type OrgTreeNode, type Organization, type PaginatedResponse, type Permission, type ProcessDeletionRequestData, type ProcessDeletionResponse, type ProcessExpiredDeletionsResponse, RbacModule, type RefreshTokenInfo, type RefreshTokenListParams, type RegisterRequest, type RegisterResponse, type RequestConfig, type ResolvedTenxyteConfig, type RetryConfig, type Role, SDK_VERSION, SecurityModule, type SecurityStats, type SocialLoginRequest, TenxyteClient, type TenxyteClientConfig, type TenxyteClientState, type TenxyteContext, type TenxyteError, type TenxyteErrorCode, type TenxyteEventMap, TenxyteHttpClient, type TenxyteLogger, type TenxyteStorage, type TenxyteUser, type TokenPair, type UpdateProfileParams, type UserDataExport, UserModule, buildDeviceInfo, createAuthInterceptor, createDeviceInfoInterceptor, createRefreshInterceptor, createRetryInterceptor, decodeJwt, resolveConfig };